Abstract
The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations—risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in .com and .net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7–13 % of TLSA records are invalid. We find 33 % of TLSA responses are larger than 1500 Bytes and will very likely be fragmented.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
NLnetLabs. Ldns (ldns-dane). http://www.nlnetlabs.nl/projects/ldns/
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Dns security introduction and requirements. RFC 4033, March 2005
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol modifications for the dns security extensions. RFC 4035, March 2005
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource records for the dns security extensions. RFC 4034, March 2005
Bhat, S.: Gmail Users in Iran Hit by MITM Attacks, August 2011. http://techie-buzz.com/tech-news/gmail-iran-hit-mitm.html
Comodo. Comodo Fraud Incident, March 2011. https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Deploy360 Porgramme. Dane test sites. http://www.internetsociety.org/deploy360/resources/dane-test-sites/
Deploy360 Porgramme. Dnssec statistics. http://www.internetsociety.org/deploy360/dnssec/statistics
Dierks, T., Rescorla, E.: The transport layer security (tls) protocol version 1.2. RFC 5246, August 2008
DNSSEC/TLSA Validator. https://www.dnssec-validator.cz
Edward Bjarte Fjellskal. PassiveDNS tool. https://github.com/gamelinux/passivedns
Herzberg, A., Shulmanz, H.: Fragmentation considered poisonous. In: Proc. of IEEE Conference on Communications and Network Security (CNS), October 2013
Hoffman, P.: Smtp service extension for secure smtp over transport layer security. RFC 3207, February 2002
Hoffman, P., Schlyter, J.: The dns-based authentication of named entities (dane) transport layer security (tls) protocol: Tlsa. RFC 6698, August 2012
ICANN. The Centralized Zone Data Service. https://czds.icann.org/
Internet Systems Consortium. Internet domain survey, January 2008. web page http://www.isc.org/solutions/survey
Kent, C.A., Mogul, J.C.: Fragmentation considered harmful. SIGCOMM Comput. Commun. Rev. 25(1), 75–87 (1995)
Learmonth, I., Gunasekaran, S.: Bootstrapping Trust with DANE, April 2014. https://www.hackerleague.org/hackathons/kings-of-code-hack-battle-at-tnw-europe-conference-2014/hacks/bootstrapping-trust-with-dane
Mail Server Security Test. https://www.tlsa.info/
Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, November 1987
Mockapetris, P.: Domain names–implementation and specification. RFC 1035, November 1987
NIST. Danelaw. https://www.had-pilot.com/dane-tests.html
NIST. Estimating ipv6 and dnssec external service deployment status. http://fedv6-deployment.antd.nist.gov
NIST. Tlsa test tree. https://www.had-pilot.com/tlsa-test.html
Osterweil, E., Kaliski, B., Larson, M., McPherson, D.: Reducing the x. 509 attack surface with dnssecs dane. SATIN: Securing and Trusting Internet Names, March 2012
Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the dnssec deployment. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC 2008, pp. 231–242. ACM, New York, NY, USA (2008)
Saint-Andre, E.P.: Extensible messaging and presence protocol (xmpp): Core. RFC 3920, October 2004
Pennock, P.: XMPP & DANE with Prosody, May 2014. http://bridge.grumpy-troll.org/2014/05/xmpp-dane-with-prosody
Schloesser, M., Gamble, B., Nickel, J., Guarnieri, C., Moore, H.: Project Sonar: IPv4 SSL Certificates, September 2014. https://scans.io/study/sonar.ssl
SIDN labs. Tlsa validator. https://check.sidnlabs.nl/dane
Streibelt, F., Böttger, J., Chatzis, N., Smaragdakis, G., Feldmann, A.: Exploring edns-client-subnet adopters in your free time. In Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 305–312. ACM, New York, NY, USA (2013)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Dnssec and its potential for ddos attacks: A comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, pp. 449–460. ACM, New York, NY, USA (2014)
Verisign. Daily zone counts. http://www.verisigninc.com/en_US/channel-resources/domain-registry-products/zone-file-information/index.xhtml
Verisign. Dnssec scoreboard. http://scoreboard.verisignlabs.com
Verisign. The Domain Name Industry Brief, December 2014. www.verisigninc.com/assets/domain-name-report-december2014.pdf
Verisign Labs. Dane/tlsa demonstration. http://dane.verisignlabs.com/
Weaver, N., Kreibich, C., Nechaev, B., Xson, V.P.: Implications of netalyzr’s DNS measurements. In: Proc. of Workshop on Securing and Trusting Internet Names (SATIN), April 2011
Wouters, P.: Using dane to associate openpgp public keys with email addresses. Work in progress, February 2014 (draft-wouters-dane-openpgp-02)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Zhu, L., Wessels, D., Mankin, A., Heidemann, J. (2015). Measuring DANE TLSA Deployment. In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds) Traffic Monitoring and Analysis. TMA 2015. Lecture Notes in Computer Science(), vol 9053. Springer, Cham. https://doi.org/10.1007/978-3-319-17172-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-17172-2_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17171-5
Online ISBN: 978-3-319-17172-2
eBook Packages: Computer ScienceComputer Science (R0)