This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.
Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.
|Title of host publication||Proceedings of the 26th USENIX Security Symposium|
|Subtitle of host publication||August 16–18, 2017 • Vancouver, BC, Canada|
|Publication status||Published - 16 Aug 2017|
|Event||26th USENIX Security Symposium 2017 - Vancouver, Canada|
Duration: 16 Aug 2017 → 18 Aug 2017
Conference number: 26
|Conference||26th USENIX Security Symposium 2017|
|Abbreviated title||USENIX Security|
|Period||16/08/17 → 18/08/17|