Observing DNSSEC validation in the wild
نویسندگان
چکیده
DNSSEC protocol deployment has taken place in phases, beginning with protocol development and followed by the signing of top-level zones and early-adopter “leaf” zones. The next phase is to encourage wide-scale validation, as that will improve the overall DNS system and enable new applications. In order to quantify DNSSEC usage for audiences it is important to be able to measure how many zones are signed and how widespread validation is. This paper will describe how to measure validation by looking at DNS queries; in it, we present results from two sample periods monitoring a sub-set of the authoritative name servers for .org.
منابع مشابه
The Design of Metrics for Quantifying the DNSSEC Deployment
This paper examines the deployment of the DNS Security Extensions (DNSSEC), which adds cryptographic protection to DNS, one of the core components in the Internet infrastructure. We analyze the data collected from the initial DNSSEC deployment which started in 2005, and identify three critical metrics to gauge the deployment: availability, verifiability, and validity. Our results provide the fi...
متن کاملA Longitudinal, End-to-End View of the DNSSEC Ecosystem
The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified inflight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management task...
متن کاملLook-aside At Your Own Risk: Privacy Implications of DNSSEC Look-aside Validation
The Domain Name System Security Extension (DNSSEC) leverages public-key cryptography to provide data integrity, source authentication, and denial of existence for DNS responses. To complement DNSSEC operations, DNSSEC Look-aside Validation (DLV) is designed for alternative off-path validation. Although DNS privacy attracts a lot of attention, the privacy implications of DLV are not fully invest...
متن کاملMeasuring the Practical Impact of DNSSEC Deployment
DNSSEC extends DNS with a public-key infrastructure, providing compatible clients with cryptographic assurance for DNS records they obtain, even in the presence of an active network attacker. As with many Internet protocol deployments, administrators deciding whether to deploy DNSSEC for their DNS zones must perform cost/benefit analysis. For some fraction of clients — those that perform DNSSEC...
متن کاملEconomic Incentives on DNSSEC Deployment: Time to Move from Quantity to Quality
The security extensions to the DNS (DNSSEC) currently cover approximately 3% of all domains worldwide. In response to the low deployment of DNSSEC, a few top-level domains started offering ‘per-domain’ economic incentives to encourage adoption of the protocol by offering a yearly discount on each signed domain. However, it remains unclear whether these incentives are well-balanced and foster th...
متن کامل