Understanding BGP misconfiguration
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Impact of configuration errors on DNS robustness
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Computer
Using the domain name system for system break-ins
SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
Zone state revocation for DNSSEC
Proceedings of the 2007 workshop on Large scale attack defense
Observations from the DNSSEC Deployment
NPSEC '07 Proceedings of the 2007 3rd IEEE Workshop on Secure Network Protocols
ICICS'07 Proceedings of the 9th international conference on Information and communications security
Secure Border Gateway Protocol (S-BGP)
IEEE Journal on Selected Areas in Communications
Bootstrapping accountability in the internet we have
Proceedings of the 8th USENIX conference on Networked systems design and implementation
Behavior of DNS' top talkers, a .com/.net view
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Bitsquatting: exploiting bit-flips for fun, or profit?
Proceedings of the 22nd international conference on World Wide Web
Measuring the practical impact of DNSSEC deployment
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
This paper examines the deployment of the DNS Security Extensions (DNSSEC), which adds cryptographic protection to DNS, one of the core components in the Internet infrastructure. We analyze the data collected from the initial DNSSEC deployment which started over 2 years ago, and identify three critical metrics to gauge the deployment: availability, verifiability, and validity. Our results provide the first comprehensive look at DNSSEC's deployment and reveal a number of challenges that were not anticipated in the design but have become evident in the deployment. First, obstacles such as middle-boxes (firewalls, NATs, etc.) that exist in today's Internet infrastructure have proven to be problematic and have resulted in unforeseen availability problems. Second, the public-key delegation system of DNSSEC has not evolved as it was hoped and it currently leaves over 97% of DNSSEC zones isolated and unverifiable, unless some external key authentication mechanism is added. Furthermore, our results show that cryptographic verification is not equivalent to validation; a piece of verified data can still contain the wrong value. Finally, our results demonstrate the essential role of monitoring and measurement in the DNSSEC deployment. We believe that the observations and lessons from the DNSSEC deployment can provide insights into measuring future Internet-scale cryptographic systems.