Measuring the Deployment Hiccups of DNSSEC
On May 5, 2010 the last step of the DNSSEC deployment on the 13 root servers was completed. DNSSEC is a set of security extensions on the traditional DNS protocol, that aim in preventing attacks based on the authenticity and integrity of the messages. Although the transition was completed without major faults, it is not clear whether problems of smaller scale occurred. In this paper we try to quantify the effects of that transition, using as many vantage points as possible. In order to achieve that, we deployed a distributed DNS monitoring infrastructure over the PlanetLab and gathered periodic DNS lookups, performed from each of the roughly 300 nodes, during the DNSSEC deployment on the last root name server. In addition, in order to broaden our view, we also collected data using the Tor anonymity network. After analyzing all the gathered data, we observed that around 4% of the monitored networks had an interesting DNS query failure pattern, which, to the best of our knowledge, was due to the transition.
KeywordsFailure Pattern Domain Name System Exit Node Perfect Forward Secrecy Security Extension
Unable to display preview. Download preview PDF.
- 1.Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol modifications for the dns security extensions. RFC 4035 (March 2005)Google Scholar
- 2.Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource records for the dns security extensions. RFC 4034 (March 2005)Google Scholar
- 3.Ateniese, G., Mangard, S.: A new approach to dns security (dnssec). In: CCS 2001: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 86–95. ACM, New York (2001)Google Scholar
- 4.Atkins, D., Austein, R.: Threat analysis of the domain name system (dns). RFC 3833 (August 2004)Google Scholar
- 5.Bellovin, S.M.: Using the domain name system for system break-ins. In: SSYM 1995: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, p. 18. USENIX Association, Berkeley (1995)Google Scholar
- 8.Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: SSYM 2004: Proceedings of the 13th Conference on USENIX Security Symposium, p. 21. USENIX Association, Berkeley (2004)Google Scholar
- 10.Gudmundsson, O.: Dnssec and ipv6 a6 aware server/resolver message size requirements (2001), ftp://ftp.rfc-editor.org/in-notes/rfc3226.txt
- 11.Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., Jones, L.: Socks protocol version 5. RFC 1928 (March 1996)Google Scholar
- 12.Osterweil, E., Massey, D., Zhang, L.: Observations from the dnssec deployment. In: NPSEC 2007: Proceedings of the 2007 3rd IEEE Workshop on Secure Network Protocols, pp. 1–6. IEEE Computer Society, Washington, DC, USA (2007)Google Scholar
- 14.Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the dnssec deployment. In: IMC 2008: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, pp. 231–242. ACM, New York (2008)Google Scholar
- 15.Yan, H., Osterweil, E., Hajdu, J., Acres, J., Massey, D.: Limiting replay vulnerabilities in dnssec. In: 4th Workshop on Secure Network Protocols, 2008, NPSec 2008, pp. 3–8, 19–19 (2008)Google Scholar