Proactive caching of DNS records: addressing a performance bottleneck
Computer Networks: The International Journal of Computer and Telecommunications Networking
Quantifying the operational status of the DNSSEC deployment
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Protecting browsers from DNS rebinding attacks
ACM Transactions on the Web (TWEB)
Securing DNS: Extending DNS Servers with a DNSSEC Validator
IEEE Security and Privacy
Deploying and Monitoring DNS Security (DNSSEC)
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
A novel DNS accelerator design and implementation
APNOMS'09 Proceedings of the 12th Asia-Pacific network operations and management conference on Management enabling the future internet for changing business and new computing services
Comparing DNS resolvers in the wild
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Netalyzr: illuminating the edge network
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Inflight modifications of content: who are the culprits?
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC
IEEE Transactions on Dependable and Secure Computing
An empirical study of the performance, security and privacy implications of domain name prefetching
DSN '11 Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks
Is it still possible to extend TCP?
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Socket overloading for fun and cache-poisoning
Proceedings of the 29th Annual Computer Security Applications Conference
Hi-index | 0.00 |
DNSSEC extends DNS with a public-key infrastructure, providing compatible clients with cryptographic assurance for DNS records they obtain, even in the presence of an active network attacker. As with many Internet protocol deployments, administrators deciding whether to deploy DNSSEC for their DNS zones must perform cost/benefit analysis. For some fraction of clients--those that perform DNSSEC validation--the zone will be protected from malicious hijacking. But another fraction of clients--those whose DNS resolvers are buggy and incompatible with DNSSEC--will no longer be able to connect to the zone. Deploying DNSSEC requires making a cost-benefit decision, balancing security for some users with denial of service for others. We have performed a large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients. Our findings corroborate those of previous researchers in showing that a relatively small fraction of users are protected by DNSSEC-validating resolvers. And we show, for the first time, that enabling DNSSEC measurably increases end-to-end resolution failures. For every 10 clients that are protected from DNS tampering when a domain deploys DNSSEC, approximately one ordinary client (primarily in Asia) becomes unable to access the domain.