Abstract
The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent’s keys, and resolvers must actually validate the chain of signatures.
This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.
Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.
This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.
Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.
Original language | English |
---|---|
Title of host publication | Proceedings of the 26th USENIX Security Symposium |
Subtitle of host publication | August 16–18, 2017 • Vancouver, BC, Canada |
Publisher | USENIX |
Pages | 1307-1322 |
ISBN (Print) | 978-1-931971-40-9 |
Publication status | Published - 16 Aug 2017 |
Event | 26th USENIX Security Symposium 2017 - Vancouver, Canada Duration: 16 Aug 2017 → 18 Aug 2017 Conference number: 26 |
Conference
Conference | 26th USENIX Security Symposium 2017 |
---|---|
Abbreviated title | USENIX Security |
Country/Territory | Canada |
City | Vancouver |
Period | 16/08/17 → 18/08/17 |
Fingerprint
Dive into the research topics of 'A Longitudinal, End-to-End View of the DNSSEC Ecosystem'. Together they form a unique fingerprint.Prizes
-
USENIX Security Distinguished Paper Award
Chung, T. (Recipient), van Rijswijk, R. M. (Recipient), Chandrasekaran, B. (Recipient), Choffnes, D. (Recipient), Levin, D. (Recipient), Maggs, B. (Recipient), Mislove, A. (Recipient) & Wilson, C. (Recipient), 16 Aug 2017
Prize: Honorary award