The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover

R. van Rijswijk-Deij, T. Chung, D. Choffnes, A. Mislove, W. Toorop

    Research output: Contribution to conferencePaperAcademicpeer-review

    2 Citations (Scopus)

    Abstract

    The Domain Name System (DNS) is part of the core of the Internet. Over the past decade, much-needed security features were added to this protocol, with the introduction of the DNS Security Extensions. DNSSEC adds authenticity and integrity to the protocol using digital signatures, and turns the DNS into a public key infrastructure (PKI). At the top of this PKI is a single key, the so-called Key Signing Key (KSK) for the DNS root. The current Root KSK was introduced in 2010, and has not changed since. This year, the Root KSK will be replaced for the first time ever. This event potentially has a major impact on the Internet. Thousands of DNS resolvers worldwide rely on this key to validate DNSSEC signatures, and must start using the new key, either through an automated process, or manual intervention. Failure to pick up the new key will result in resolvers becoming completely unavailable to end users. This work presents the “Root Canary”, a system to monitor and measure this event from the perspective of validating DNS resolvers for its entire nine-month duration. The system combines three active measurement platforms to have the broadest possible coverage of validating resolvers. Results will be presented in near real-time, to allow the global DNS community to act if problems arise. Furthermore, after the Root KSK rollover concludes in March 2018, we will use the recorded datasets for an in-depth analysis, from which the Internet community can draw lessons for future key rollovers.
    Original languageEnglish
    Pages63-64
    DOIs
    Publication statusPublished - 22 Aug 2017
    EventAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017 - Los Angeles, United States
    Duration: 21 Aug 201725 Aug 2017
    https://conferences.sigcomm.org/sigcomm/2017/

    Conference

    ConferenceAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017
    Abbreviated titleACM SIGCOMM
    CountryUnited States
    CityLos Angeles
    Period21/08/1725/08/17
    Internet address

    Keywords

    • DNS
    • DNSSEC
    • Active measurements
    • Internet stability

    Fingerprint Dive into the research topics of 'The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover'. Together they form a unique fingerprint.

    Cite this