Presentation is loading. Please wait.

Presentation is loading. Please wait.

A longitudinal, End-to-End View of the DNSSEC Ecosystem

Published byRosanna Malone Modified over 6 years ago

Similar presentations

Presentation on theme: "A longitudinal, End-to-End View of the DNSSEC Ecosystem"— Presentation transcript:

1 A longitudinal, End-to-End View of the DNSSEC Ecosystem
Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson Presenter: Ruiyan Ma A longitudinal, End-to-End View of the DNSSEC Ecosystem

2 Introduction: DNS DNS maps domain name to IP address from its records

3 Introduction: DNSSEC DNSSEC (DNS security extensions) gives each zone a digit signature, also validate their next level zone. DNSKEY record KSK ZSK RRSIG record DS record

4 Problems in DNSSEC DNSSEC is complex DNSSEC is a new mechanism DNSSEC need secure every DNS level from root to leaf

5 Motivation of Research
Previous researches doesn’t study the whole ecosystem Researchers want to know the percentage of DNSSEC deployment Researchers want to know the trend of DNSSEC deployment Researchers want to know the management level

6 Solutions Data Collection: Collect large number of data
Research Range: Investigate over .com, .net, .org zones, over 150M domains Time cost: Take long period for data collection, about two years Solutions

7 Result: DNSSEC Deployment
The percentage of DNSSEC enabled domains keeps at low level. The number of DNSSEC enabled domains is increasing

8 Result: Management Record management Key management

9 Record Management DS record
28%-32% signed domains do not have DS record RRSIG record Most domains have the record, some domain start updating at late time Missing Record Almost the whole domain with the records are valid Most RRSIG record are valid Incorrect Record

10 Key Management Three problems are observed Shared keys Weak keys
Keys does not update frequently

11 Result: Resolver support
Lots resolvers do not make validation Some of validations are not correct

12 Criticism Advantage Disadvantage Large number of data Long period
The research only use Alexa Top 1M domains, and Top 1K website to collect data, the sample may not standard for the whole ecosystem.

13 Summary The research shows most of DNS do not enable DNSSEC, but the trend is slowly increasing. Some DNSSEC enabled DNS does not fully satisfy the requirement of DNSSEC Most resolvers do not validate DNS record The ecosystem of DNSSEC need to keep improve.

14 Thank you

Download ppt "A longitudinal, End-to-End View of the DNSSEC Ecosystem"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
Security and Information Assurance for the DNS Dan Massey USC/ISI.

Security and Information Assurance for the DNS Dan Massey USC/ISI.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Similar presentations

Ads by Google