A Longitudinal, End-to-End View of the DNSSEC Ecosystem

The Domain Name System's Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified inflight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent's keys, and resolvers must actually validate the chain of signatures. This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC's PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation. Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.

[1]  Boris Nechaev,et al.  Netalyzr: illuminating the edge network , 2010, IMC '10.

[2]  Amir Herzberg,et al.  Fragmentation Considered Poisonous , 2012, ArXiv.

[3]  Aiko Pras,et al.  A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements , 2016, IEEE Journal on Selected Areas in Communications.

[4]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[5]  Daniel Massey,et al.  Deploying and Monitoring DNS Security (DNSSEC) , 2009, 2009 Annual Computer Security Applications Conference.

[6]  Kensuke Fukuda,et al.  A technique for counting DNSSEC validators , 2013, 2013 Proceedings IEEE INFOCOM.

[7]  Bruce M. Maggs,et al.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem , 2016, CCS.

[8]  Olafur Gudmundsson,et al.  Automating DNSSEC Delegation Trust Maintenance , 2014, RFC.

[9]  R. Gieben,et al.  DNSSEC Operational Practices , 2006, RFC.

[10]  Bruce M. Maggs,et al.  An End-to-End Measurement of Certificate Revocation in the Web's PKI , 2015, Internet Measurement Conference.

[11]  Aiko Pras,et al.  DNSSEC meets real world: dealing with unreachability caused by fragmentation , 2014, IEEE Communications Magazine.

[12]  Duane Wessels,et al.  Check-Repeat: A new method of measuring DNSSEC validating resolvers , 2013, INFOCOM.

[13]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[14]  Donald E. Eastlake,et al.  Domain Name System Security Extensions , 1997, RFC.

[15]  Daniel Massey,et al.  Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC , 2011, IEEE Transactions on Dependable and Secure Computing.

[16]  Xin Wang,et al.  A measurement study of DNSSEC misconfigurations , 2015, Security Informatics.

[17]  Haya Shulman,et al.  DNSSEC Misconfigurations in Popular Domains , 2016, CANS.

[18]  Taejoong Chung,et al.  Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet , 2016, Internet Measurement Conference.

[19]  Ólafur Guðmundsson Observing DNSSEC validation in the wild , 2011 .

[20]  Casey T. Deccio A Case for Comprehensive DNSSEC Monitoring and Analysis Tools. , 2011 .

[21]  Prasant Mohapatra,et al.  Quantifying and Improving DNSSEC Availability , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[22]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[23]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[24]  Paul V. Mockapetris,et al.  Domain names - concepts and facilities , 1987, RFC.

[25]  Hovav Shacham,et al.  Measuring the Practical Impact of DNSSEC Deployment , 2013, USENIX Security Symposium.

[26]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[27]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[28]  Matthäus Wander,et al.  Measurement survey of server-side DNSSEC adoption , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[29]  Roland van Rijswijk-Deij,et al.  On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC , 2016, 2016 12th International Conference on Network and Service Management (CNSM).

[30]  Elaine B. Barker,et al.  SP 800-131A. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .