Measuring the Deployment Hiccups of DNSSEC

  • Vasilis Pappas
  • Angelos D. Keromytis
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 192)


On May 5, 2010 the last step of the DNSSEC deployment on the 13 root servers was completed. DNSSEC is a set of security extensions on the traditional DNS protocol, that aim in preventing attacks based on the authenticity and integrity of the messages. Although the transition was completed without major faults, it is not clear whether problems of smaller scale occurred. In this paper we try to quantify the effects of that transition, using as many vantage points as possible. In order to achieve that, we deployed a distributed DNS monitoring infrastructure over the PlanetLab and gathered periodic DNS lookups, performed from each of the roughly 300 nodes, during the DNSSEC deployment on the last root name server. In addition, in order to broaden our view, we also collected data using the Tor anonymity network. After analyzing all the gathered data, we observed that around 4% of the monitored networks had an interesting DNS query failure pattern, which, to the best of our knowledge, was due to the transition.


Failure Pattern Domain Name System Exit Node Perfect Forward Secrecy Security Extension 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol modifications for the dns security extensions. RFC 4035 (March 2005)Google Scholar
  2. 2.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource records for the dns security extensions. RFC 4034 (March 2005)Google Scholar
  3. 3.
    Ateniese, G., Mangard, S.: A new approach to dns security (dnssec). In: CCS 2001: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 86–95. ACM, New York (2001)Google Scholar
  4. 4.
    Atkins, D., Austein, R.: Threat analysis of the domain name system (dns). RFC 3833 (August 2004)Google Scholar
  5. 5.
    Bellovin, S.M.: Using the domain name system for system break-ins. In: SSYM 1995: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, p. 18. USENIX Association, Berkeley (1995)Google Scholar
  6. 6.
    Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., Bowman, M.: Planetlab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33(3), 3–12 (2003)CrossRefGoogle Scholar
  7. 7.
    Curtmola, R., Del Sorbo, A., Ateniese, G.: On the performance and analysis of DNS security extensions. In: Desmedt, Y., Wang, H., Mu, Y., Li, Y. (eds.) CANS 2005. LNCS, vol. 3810, pp. 288–303. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: SSYM 2004: Proceedings of the 13th Conference on USENIX Security Symposium, p. 21. USENIX Association, Berkeley (2004)Google Scholar
  9. 9.
    Friedlander, A., Mankin, A., Maughan, W.D., Crocker, S.D.: Dnssec: a protocol toward securing the internet infrastructure. Commun. ACM 50(6), 44–50 (2007)CrossRefGoogle Scholar
  10. 10.
    Gudmundsson, O.: Dnssec and ipv6 a6 aware server/resolver message size requirements (2001),
  11. 11.
    Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., Jones, L.: Socks protocol version 5. RFC 1928 (March 1996)Google Scholar
  12. 12.
    Osterweil, E., Massey, D., Zhang, L.: Observations from the dnssec deployment. In: NPSEC 2007: Proceedings of the 2007 3rd IEEE Workshop on Secure Network Protocols, pp. 1–6. IEEE Computer Society, Washington, DC, USA (2007)Google Scholar
  13. 13.
    Osterweil, E., Massey, D., Zhang, L.: Deploying and monitoring dns security (dnssec). In: ACSAC 2009: Proc. of the 2009 Annual Computer Security Applications Conference, pp. 429–438. IEEE Computer Society, Washington, DC, USA (2009)CrossRefGoogle Scholar
  14. 14.
    Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the dnssec deployment. In: IMC 2008: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, pp. 231–242. ACM, New York (2008)Google Scholar
  15. 15.
    Yan, H., Osterweil, E., Hajdu, J., Acres, J., Massey, D.: Limiting replay vulnerabilities in dnssec. In: 4th Workshop on Secure Network Protocols, 2008, NPSec 2008, pp. 3–8, 19–19 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Vasilis Pappas
    • 1
  • Angelos D. Keromytis
    • 1
  1. 1.Computer Science Dept.Columbia UniversityNew YorkUSA

Personalised recommendations