Maintenance, mishaps and mending in deployments of the domain name system security extensions (DNSSEC)

The Domain Name System Security Extensions (DNSSEC) add an element of authentication to the DNS, which is a foundational component of the Internet. However, the maintenance of a DNSSEC deployment is more complex than that of its insecure counterpart. This paper discusses some specific misconfigurations that impact DNSSEC deployments, analyzes their prevalence via an extended survey of production DNS zones implementing DNSSEC, and assesses the maintenance and corrective actions. Our survey indicated that more than one-half of the zones analyzed were affected by misconfigurations. Also, the survey revealed a significant number of repeat occurrences and average correction times of up to two weeks. This paper summarizes the survey findings and suggests approaches for improving the quality of DNSSEC deployments.

[1]  Daniel Massey,et al.  Deploying and Monitoring DNS Security (DNSSEC) , 2009, 2009 Annual Computer Security Applications Conference.

[2]  Scott Rose,et al.  Resource Records for the DNS Security Extensions, RFC 4034 | NIST , 2005 .

[3]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[4]  Ben Laurie,et al.  DNS Security (DNSSEC) Hashed Authenticated Denial of Existence , 2008, RFC.

[5]  Mike St. Johns,et al.  Automated Updates of DNS Security (DNSSEC) Trust Anchors , 2007, RFC.

[6]  Prasant Mohapatra,et al.  Quantifying and Improving DNSSEC Availability , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).