A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Christo Wilson

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

8 Downloads (Pure)

Abstract

The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent’s keys, and resolvers must actually validate the chain of signatures.
This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.
Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.
Original languageEnglish
Title of host publicationProceedings of the 26th USENIX Security Symposium
Subtitle of host publicationAugust 16–18, 2017 • Vancouver, BC, Canada
PublisherUSENIX
Pages1307-1322
ISBN (Print)978-1-931971-40-9
Publication statusPublished - 16 Aug 2017
Event26th USENIX Security Symposium 2017 - Vancouver, Canada
Duration: 16 Aug 201718 Aug 2017
Conference number: 26

Conference

Conference26th USENIX Security Symposium 2017
Abbreviated titleUSENIX Security
CountryCanada
CityVancouver
Period16/08/1718/08/17

Fingerprint

Security systems
Ecosystems
Servers
Automation

Cite this

Chung, T., van Rijswijk-Deij, R., Chandrasekaran, B., Choffnes, D., Levin, D., Maggs, B., ... Wilson, C. (2017). A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In Proceedings of the 26th USENIX Security Symposium: August 16–18, 2017 • Vancouver, BC, Canada (pp. 1307-1322). USENIX.
Chung, Taejoong ; van Rijswijk-Deij, Roland ; Chandrasekaran, Balakrishnan ; Choffnes, David ; Levin, Dave ; Maggs, Bruce ; Mislove, Alan ; Wilson, Christo. / A Longitudinal, End-to-End View of the DNSSEC Ecosystem. Proceedings of the 26th USENIX Security Symposium: August 16–18, 2017 • Vancouver, BC, Canada. USENIX, 2017. pp. 1307-1322
@inproceedings{6a1b1ce08f6b45a685e7e7792b32c27d,
title = "A Longitudinal, End-to-End View of the DNSSEC Ecosystem",
abstract = "The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent’s keys, and resolvers must actually validate the chain of signatures.This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31{\%} of domains that support DNSSEC fail to publish all relevant records required for validation; 39{\%} of the domains use insufficiently strong key-signing keys; and although 82{\%} of resolvers in our study request DNSSEC records, only 12{\%} of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.",
author = "Taejoong Chung and {van Rijswijk-Deij}, Roland and Balakrishnan Chandrasekaran and David Choffnes and Dave Levin and Bruce Maggs and Alan Mislove and Christo Wilson",
year = "2017",
month = "8",
day = "16",
language = "English",
isbn = "978-1-931971-40-9",
pages = "1307--1322",
booktitle = "Proceedings of the 26th USENIX Security Symposium",
publisher = "USENIX",

}

Chung, T, van Rijswijk-Deij, R, Chandrasekaran, B, Choffnes, D, Levin, D, Maggs, B, Mislove, A & Wilson, C 2017, A Longitudinal, End-to-End View of the DNSSEC Ecosystem. in Proceedings of the 26th USENIX Security Symposium: August 16–18, 2017 • Vancouver, BC, Canada. USENIX, pp. 1307-1322, 26th USENIX Security Symposium 2017, Vancouver, Canada, 16/08/17.

A Longitudinal, End-to-End View of the DNSSEC Ecosystem. / Chung, Taejoong; van Rijswijk-Deij, Roland; Chandrasekaran, Balakrishnan; Choffnes, David; Levin, Dave; Maggs, Bruce; Mislove, Alan; Wilson, Christo.

Proceedings of the 26th USENIX Security Symposium: August 16–18, 2017 • Vancouver, BC, Canada. USENIX, 2017. p. 1307-1322.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - A Longitudinal, End-to-End View of the DNSSEC Ecosystem

AU - Chung, Taejoong

AU - van Rijswijk-Deij, Roland

AU - Chandrasekaran, Balakrishnan

AU - Choffnes, David

AU - Levin, Dave

AU - Maggs, Bruce

AU - Mislove, Alan

AU - Wilson, Christo

PY - 2017/8/16

Y1 - 2017/8/16

N2 - The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent’s keys, and resolvers must actually validate the chain of signatures.This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.

AB - The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent’s keys, and resolvers must actually validate the chain of signatures.This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.

M3 - Conference contribution

SN - 978-1-931971-40-9

SP - 1307

EP - 1322

BT - Proceedings of the 26th USENIX Security Symposium

PB - USENIX

ER -

Chung T, van Rijswijk-Deij R, Chandrasekaran B, Choffnes D, Levin D, Maggs B et al. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In Proceedings of the 26th USENIX Security Symposium: August 16–18, 2017 • Vancouver, BC, Canada. USENIX. 2017. p. 1307-1322