On DNSSEC Negative Responses, Lies, and Zone Size Detection

  • Jonathan Demke
  • Casey DeccioEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11419)


The Domain Name System (DNS) Security Extensions (DNSSEC) introduced additional DNS records (NSEC or NSEC3 records) into negative DNS responses, which records can prove there is no translation for a queried domain name. We introduce a novel technique to estimate the size of a DNS zone by analyzing the NSEC3 records returned by only a small number of DNS queries issued. We survey the prevalence of the deployment of different variants of DNSSEC negative responses across a large set of DNSSEC-signed zones in the wild, and identify over 50% as applicable to our measurement technique. Of the applicable zones, we show that 99% are composed of fewer than 40 names.




  1. 1.
    BIND open source DNS server.
  2. 2.
    Centralized Zone Data Service.
  3. 3.
  4. 4.
    The Internet Foundation in Sweden.
  5. 5.
    Public Interest Registry.
  6. 6.
  7. 7.
    Andrews, M.: RFC 2308: negative caching of DNS queries (DNS NCACHE), March 1998Google Scholar
  8. 8.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033: DNS security introduction and requirements, March 2005Google Scholar
  9. 9.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034: resource records for the DNS security extensions, March 2005Google Scholar
  10. 10.
    Bird, S., Loper, E., Klein, E.: Natural Language Processing with Python. O’Reilly Media Inc., Sebastopol (2009)zbMATHGoogle Scholar
  11. 11.
    Deccio, C., Chen, C.C., Mohapatra, P., Sedayao, J., Kant, K.: Quality of name resolution in the domain name system. In: 2009 17th IEEE International Conference on Network Protocols, October 2009Google Scholar
  12. 12.
    DNSCurve: DNSCurve: Usable security for DNS.
  13. 13.
    Elz, R., Bush, R.: RFC 2181: clarifications to the DNS specification, July 1997Google Scholar
  14. 14.
    Gardiner, C.: Stochastic Methods: A Handbook for the Natural and Social Sciences. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  15. 15.
    Goldberg, S., Naor, M., Papadopoulos, D., Reyzin, L., Vasant, S., Ziv, A.: NSEC5: provably preventing DNSSEC zone enumeration. In: NDSS 2015, February 2015Google Scholar
  16. 16.
    Grant, D.: Economical with the truth: making DNSSEC answers cheap.
  17. 17.
    Josefsson, S.: RFC 4648: the base16, base32, and base64 data encodings, October 2006Google Scholar
  18. 18.
    Kaminsky, D.: Phreebird.
  19. 19.
    Mockapetris, P.: RFC 1034: domain names - concepts and facilities, November 1987Google Scholar
  20. 20.
    Mockapetris, P.: RFC 1035: domain names - implementation and specification, November 1987Google Scholar
  21. 21.
    Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the DNSSEC deployment. In: Proceedings of the 6th ACM/USENIX Internet Measurement Conference (IMC 2008), October 2008Google Scholar
  22. 22.
    Ramasubramanian, V., Sirer, E.G.: Perils of transitive trust in the domain name system. In: IMC 2005 Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, October 2015Google Scholar
  23. 23.
    Sisson, G., Arends, R., Blacka, D.: RFC 5155: DNS security (DNSSEC) hashed authenticated denial of existence, March 2008Google Scholar
  24. 24.
    Wander, M., Schwittmann, L., Boelmann, C., Weis, T.: GPU-based NSEC3 hash breaking. In: 2014 IEEE 13th International Symposium on Network Computing and Applications. IEEE, August 2014Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Brigham Young UniversityProvoUSA

Personalised recommendations