A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Christo Wilson

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    84 Citations (Scopus)
    49 Downloads (Pure)


    The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent’s keys, and resolvers must actually validate the chain of signatures.
    This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.
    Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.
    Original languageEnglish
    Title of host publicationProceedings of the 26th USENIX Security Symposium
    Subtitle of host publicationAugust 16–18, 2017 • Vancouver, BC, Canada
    ISBN (Print)978-1-931971-40-9
    Publication statusPublished - 16 Aug 2017
    Event26th USENIX Security Symposium 2017 - Vancouver, Canada
    Duration: 16 Aug 201718 Aug 2017
    Conference number: 26


    Conference26th USENIX Security Symposium 2017
    Abbreviated titleUSENIX Security


    Dive into the research topics of 'A Longitudinal, End-to-End View of the DNSSEC Ecosystem'. Together they form a unique fingerprint.

    Cite this