A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran,
David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Christo Wilson

Paper Overview

The Domain Name System’s Security Extensions (DNSSEC) allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative name servers must generate and publish their keys and signatures correctly, child zones that support DNSSEC must be correctly signed with their parent’s keys, and resolvers must actually validate the chain of signatures.
This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs over a period of 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide to evaluate resolver-side validation.
Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure. For example, we found that 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them actually attempt to validate them. These results highlight systemic problems, which motivate improved automation and auditing of DNSSEC management.

This paper was presented at USENIX Security'17 and won a Distinguished Paper Award. You can download our paper here.

Dataset

Our dataset consists of

  1. TLD zone files
  2. Zone (Authoritative Server) scans
  3. Resolver scans (resolver's side)

(1) TLD Zone Files

Our .com, .org, and .net zone files are collected under agreement with the zone operators; while we are not permitted to release this data, we provide links where other researchers can obtain access themselves.

(2) Zone Scans

Our zone scans data are collected by the OpenINTEL platform that is actively used by many applications in network and network security research.
For the data access please visit OpenINTEL. Also please note that due to the agreement with the zone operators, we may also have to impose restrictions about third party release of research data derived from data collected by the OpenINTEL platform. This will be discussed on a per request basis.

(3) Resolver Scans

We use the Luminati proxy network to issue DNS requests to resolvers over the globe. For more information of how Luminati works and it can be used for network measurement, please refer our previous work and read our IMC'16 paper.
We configured our DNS server with 10 different subdomains, each of which simulates a different kind of DNSSEC misconfiguration, along with a single valid zone. These misconfigurations include missing, incorrect, and expired RRSIGs, missing DNSKEYs, incorrect DS records, etc.
For each exit node we test, we generate a unique identifier for that node’s DNS requests (e.g., http://id1.invalid-rr-sig.example.com). This approach allows us to easily map incoming DNS and HTTP requests to specific exit nodes, and to avoid any potential caching issues at intermediate resolvers. To implement this, we created a custom DNS server that generated DNSKEYs, DS records, and RRSIGs on-the-fly.
For more detailed methodology, please read our paper

Contact

Do you have any questions, comments or concern? Feel free to send us an email to Taejoong Chung