Measuring Occurrence of DNSSEC Validation

  • Matthäus Wander
  • Torben Weis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7799)


DNSSEC is a security extension that adds public-key signatures to the Domain Name System for the purpose of data authenticity and integrity. While DNSSEC signatures are being deployed on an increasing number of name servers, little is known about the deployment advancements of client-side DNSSEC validation. In this paper we present a methodology to determine whether a client is protected by DNSSEC validation. We applied our methodology over a period of 7 months collecting results from different data sources. After data cleaning, we gathered 131,320 results from 98,179 distinct IP addresses, out of which 4.8% had validation enabled. The ratio varies significantly per country, with Sweden, the Czech Republic and the United States having the largest ratios of validating clients in the field.


Invalid Trial Domain Name System Network Trace Resource Record Invalid Signature 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kaminsky, D.: Black ops 2008: It’s the end of the cache as we know it. Black Hat USA (August 2008)Google Scholar
  2. 2.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (March 2005)Google Scholar
  3. 3.
    Anonymous: The collateral damage of internet censorship by dns injection. SIGCOMM Comput. Commun. Rev. 42(3), 21–27 (2012)Google Scholar
  4. 4.
    Weaver, N., Kreibich, C., Paxson, V.: Redirecting DNS for Ads and Profit. In: USENIX Workshop on Free and Open Communications on the Internet (FOCI), San Francisco, CA, USA (August 2011)Google Scholar
  5. 5.
    Hirsch, T., Lo Iacono, L., Wechsung, I.: How Much Network Security Must Be Visible in Web Browsers? In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 1–16. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Wander, M., Weis, T.: Dnssec resolver test,
  7. 7.
    Mao, Z.M., Cranor, C.D., Bouglis, F., Rabinovich, M., Spatscheck, O., Wang, J.: A precise and efficient evaluation of the proximity between web clients and their local dns servers. In: Proceedings of USENIX Annual Technical Conference, pp. 229–242. USENIX Association (2002)Google Scholar
  8. 8.
    Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are ip addresses? In: Proceedings of the 2007 Conference on Applications, Technologies, Architectures and Protocols for Computer Communications, SIGCOMM 2007, pp. 301–312. ACM, New York (2007)CrossRefGoogle Scholar
  9. 9.
    Osterweil, E., Massey, D., Zhang, L.: Deploying and monitoring dns security (dnssec). In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 429–438. IEEE Computer Society, Washington, DC (2009)CrossRefGoogle Scholar
  10. 10.
    Deccio, C., Sedayao, J., Kant, K., Mohapatra, P.: Quantifying and improving dnssec availability. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), July 31- August 4, pp. 1–7 (2011)Google Scholar
  11. 11.
    RIPE NCC: Status for, (accessed September 2012)
  12. 12.
    St.Johns, M.: Automated Updates of DNS Security (DNSSEC) Trust Anchors. RFC 5011 (September 2007)Google Scholar
  13. 13.
    Castro, S., Wessels, D., Fomenkov, M., Claffy, K.: A day at the root of the internet. SIGCOMM Comput. Commun. Rev. 38(5), 41–46 (2008)CrossRefGoogle Scholar
  14. 14.
    Gudmundsson, Ó., Crocker, S.D.: Observing dnssec validation in the wild. In: Securing and Trusting Internet Names, SATIN (2011)Google Scholar
  15. 15.
    Fujiwara, K.: Dnssec validation measurement. In: DNS-OARC Workshop, San Francisco, CA, USA (March 2011)Google Scholar
  16. 16.
    Fujiwara, K.: Number of possible dnssec validators seen at jp. In: IEPG Meeting @ IETF 83, Paris, France (March 2012)Google Scholar
  17. 17.
    Yu, Y., Wessels, D.: Quantifying dnssec validators. In: DNS-OARC Workshop, Toronto, Canada (October 2012)Google Scholar
  18. 18.
    SIDN: Dnssec test, (accessed August 2012)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Matthäus Wander
    • 1
  • Torben Weis
    • 1
  1. 1.University of Duisburg-EssenDuisburgGermany

Personalised recommendations