Rolling with Confidence: Managing the Complexity of DNSSEC Operations

Moritz Müller, Taejoong Chung, Alan Mislove, Roland van Rijswijk-Deij

Research output: Contribution to journalArticleAcademicpeer-review

11 Citations (Scopus)
3 Downloads (Pure)


The domain name system (DNS) is the naming system on the Internet. With the DNS security extensions (DNSSECs) operators can protect the authenticity of their domain using public key cryptography. DNSSEC, however, can be difficult to configure and maintain: operators need to replace keys to upgrade their algorithm, react to security breaches or follow key management policies. These tasks are not trivial. If operators do not time changes to their keys right, caching resolvers may not have access to the correct keys, potentially rendering DNS zones unavailable for minutes or hours. While best current practices give abstract guidelines on how to introduce and withdraw keys, information on how to monitor and control actual rollovers in a live environment is lacking. More specifically, it is challenging for operators to know when to introduce or withdraw keys based on the state of the network. Our main contribution is to help operators answer this question and to address this barrier for deploying DNSSEC. We develop a method with which operators can monitor the replacement of DNSSEC keys, called a rollover. Thereby, they can make confident decisions during the rollover and make sure their zone stays available at all times. We validate the method with an algorithm rollover of the Swedish TLD .se and provide an open source tool with which operators can monitor their rollover themselves.
Original languageEnglish
Pages (from-to)1199-1211
Number of pages13
JournalIEEE transactions on network and service management
Issue number3
Early online date10 May 2019
Publication statusPublished - Sep 2019


  • 22/4 OA procedure


Dive into the research topics of 'Rolling with Confidence: Managing the Complexity of DNSSEC Operations'. Together they form a unique fingerprint.

Cite this