Measuring Occurrence of DNSSEC Validation

Wander, Matthäus; Weis, Torben

doi:10.1007/978-3-642-36516-4_13

Matthäus Wander¹⁸ &
Torben Weis¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 7799))

Included in the following conference series:

International Conference on Passive and Active Network Measurement

2429 Accesses
5 Citations
6 Altmetric

Abstract

DNSSEC is a security extension that adds public-key signatures to the Domain Name System for the purpose of data authenticity and integrity. While DNSSEC signatures are being deployed on an increasing number of name servers, little is known about the deployment advancements of client-side DNSSEC validation. In this paper we present a methodology to determine whether a client is protected by DNSSEC validation. We applied our methodology over a period of 7 months collecting results from different data sources. After data cleaning, we gathered 131,320 results from 98,179 distinct IP addresses, out of which 4.8% had validation enabled. The ratio varies significantly per country, with Sweden, the Czech Republic and the United States having the largest ratios of validating clients in the field.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 54.99; Price excludes VAT (USA)

Softcover Book: USD 72.00; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Kaminsky, D.: Black ops 2008: It’s the end of the cache as we know it. Black Hat USA (August 2008)
Google Scholar
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (March 2005)
Google Scholar
Anonymous: The collateral damage of internet censorship by dns injection. SIGCOMM Comput. Commun. Rev. 42(3), 21–27 (2012)
Google Scholar
Weaver, N., Kreibich, C., Paxson, V.: Redirecting DNS for Ads and Profit. In: USENIX Workshop on Free and Open Communications on the Internet (FOCI), San Francisco, CA, USA (August 2011)
Google Scholar
Hirsch, T., Lo Iacono, L., Wechsung, I.: How Much Network Security Must Be Visible in Web Browsers? In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 1–16. Springer, Heidelberg (2012)
Chapter Google Scholar
Wander, M., Weis, T.: Dnssec resolver test, http://dnssec.vs.uni-due.de
Mao, Z.M., Cranor, C.D., Bouglis, F., Rabinovich, M., Spatscheck, O., Wang, J.: A precise and efficient evaluation of the proximity between web clients and their local dns servers. In: Proceedings of USENIX Annual Technical Conference, pp. 229–242. USENIX Association (2002)
Google Scholar
Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are ip addresses? In: Proceedings of the 2007 Conference on Applications, Technologies, Architectures and Protocols for Computer Communications, SIGCOMM 2007, pp. 301–312. ACM, New York (2007)
Chapter Google Scholar
Osterweil, E., Massey, D., Zhang, L.: Deploying and monitoring dns security (dnssec). In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 429–438. IEEE Computer Society, Washington, DC (2009)
Chapter Google Scholar
Deccio, C., Sedayao, J., Kant, K., Mohapatra, P.: Quantifying and improving dnssec availability. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), July 31- August 4, pp. 1–7 (2011)
Google Scholar
RIPE NCC: Status for k.root-servers.net, http://k.root-servers.org/statistics/ROOT/daily/ (accessed September 2012)
St.Johns, M.: Automated Updates of DNS Security (DNSSEC) Trust Anchors. RFC 5011 (September 2007)
Google Scholar
Castro, S., Wessels, D., Fomenkov, M., Claffy, K.: A day at the root of the internet. SIGCOMM Comput. Commun. Rev. 38(5), 41–46 (2008)
Article Google Scholar
Gudmundsson, Ó., Crocker, S.D.: Observing dnssec validation in the wild. In: Securing and Trusting Internet Names, SATIN (2011)
Google Scholar
Fujiwara, K.: Dnssec validation measurement. In: DNS-OARC Workshop, San Francisco, CA, USA (March 2011)
Google Scholar
Fujiwara, K.: Number of possible dnssec validators seen at jp. In: IEPG Meeting @ IETF 83, Paris, France (March 2012)
Google Scholar
Yu, Y., Wessels, D.: Quantifying dnssec validators. In: DNS-OARC Workshop, Toronto, Canada (October 2012)
Google Scholar
SIDN: Dnssec test, http://dnssectest.sidn.nl (accessed August 2012)

Download references

Author information

Authors and Affiliations

University of Duisburg-Essen, Duisburg, Germany
Matthäus Wander & Torben Weis

Authors

Matthäus Wander
View author publications
You can also search for this author in PubMed Google Scholar
Torben Weis
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

School of Mathematical Sciences, University of Adelaide, Innova21 Building, 5005, Adelaide, SA, Australia
Matthew Roughan
Department of Computing, The Hong Kong Polytechnic University, Hunghom, Kowloon, Hong Kong SAR, China
Rocky Chang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wander, M., Weis, T. (2013). Measuring Occurrence of DNSSEC Validation. In: Roughan, M., Chang, R. (eds) Passive and Active Measurement. PAM 2013. Lecture Notes in Computer Science, vol 7799. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36516-4_13

Download citation

DOI: https://doi.org/10.1007/978-3-642-36516-4_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36515-7
Online ISBN: 978-3-642-36516-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics