Is the Internet Ready for DNSSEC: Evaluating Pitfalls in the Naming Infrastructure

We study the challenges of deploying DNSSEC on Domain Name System (DNS) name servers. DNSSEC, a defence mechanism for DNS, was designed to provide cryptographic assurance for DNS records against cache poisoning attacks. Although standardised more than 15 years ago, DNSSEC is still not widely deployed. Multiple efforts are focused on identifying deployment obstacles and it is generally believed that adopting DNSSEC is mainly a matter of motivation. In this work we systematically explore this widely held, folklore belief. Utilising wide-scale measurements of DNS servers in the forward and the reverse DNS trees, we show that a large fraction of servers in popular domains fail with DNSSEC signed DNS requests, hence breaking the backward compatibility property of DNSSEC. This further reduces the motivation for clients to adopt DNSSEC. Our evaluation results indicate that DNSSEC deployment is a cost-benefit decision, and full adoption thereof requires upgrading significant parts of the DNS infrastructure. In particular, deploying DNSSEC on the unsigned domains today would render a large fraction thereof unreachable. Our study shows two intertwined obstacles that impede the adoption of DNSSEC for DNS. One is legacy infrastructure, the other is lack of protocol support.