Abstract
DNSSEC was designed to protect the Domain Name System (DNS) against DNS cache poisoning and domain hijacking. When widely adopted, DNSSEC is expected to facilitate a multitude of future applications and systems, as well as security mechanisms, that would use the DNS for distribution of security tokens, such as, certificates, IP prefix authentication for routing security, anti-spam mechanisms. Multiple efforts are invested in adopting DNSSEC and in evaluating challenges towards its deployment.
In this work we perform a study of errors and misconfigurations in signed domains. To that end, we develop a DNSSEC framework and a webpage for reporting the most up to date statistics and provide reports with vulnerabilities and misconfigurations. Our tool also supports retrieval of historical data and enables to perform long-term studies and observations of changes in the security landscape of DNS. We make our tool and the collected data available via an online webservice.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anderson, D.: Splinternet behind the great firewall of china. Queue 10(11), 40 (2012)
Google Online Security Blog: An Update on SHA-1 Certificates in Chrome (2015). https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html
Fukuda, K., Sato, S., Mitamura, T.: A technique for counting DNSSEC validators. In: 2013 Proceedings IEEE INFOCOM, pp. 80–84. IEEE (2013)
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your PS, QS: detection of widespread weak keys in network devices. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pp. 205–220 (2012)
Herzberg, A., Shulman, H.: Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In: The Conference on Communications and Network Security IEEE CNS 2013, Washington, D.C., U.S. IEEE (2013)
Herzberg, A., Shulman, H.: Socket overloading for fun and cache poisoning. In: C.N.P. Jr. (ed.) ACM Annual Computer Security Applications Conference (ACM ACSAC), New Orleans, Louisiana, U.S, December 2013
Herzberg, A., Shulman, H.: Vulnerable delegation of DNS resolution. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 219–236. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40203-6_13
Herzberg, A., Shulman, H.: Negotiating DNSSEC algorithms over legacy proxies. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 111–126. Springer, Heidelberg (2014). doi:10.1007/978-3-319-12280-9_8
Herzberg, A., Shulman, H.: Retrofitting security into network protocols: the case of DNSSEC. Internet Comput. 18(1), 66–71 (2014). IEEE
Herzberg, A., Shulman, H., Crispo, B.: Less is more: cipher-suite negotiation for DNSSEC. In: Computer Security Applications Conference, ACSAC 2014. Annual. IEEE (2014)
Hu, M.: Taxonomy of the snowden disclosures. Wash Lee L. Rev. 72, 1679–1989 (2015)
Kaminsky, D.: It’s the End of the Cache As We Know It. In Black Hat conference, August 2008. http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf
Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of DNSSEC deployment. In: Proceedings of USENIX Security (2013)
Shulman, H., Waidner, M.: Fragmentation considered leaking: port inference for DNS poisoning. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 531–548. Springer, Heidelberg (2014). doi:10.1007/978-3-319-07536-5_31
Internet Society: ICANNs 2013 RAA Requires Domain Name Registrars To Support DNSSEC (2013)
Stevens, M., Karpman, P., Peyrin, T.: Freestart collision for full sha-1. Cryptology ePrint Archive, Report 2015/967 (2015). http://eprint.iacr.org/2015/967
Stewart, J.: DNS cache poisoning-the next generation (2003)
Valenta, L., Cohney, S., Liao, A., Fried, J., Bodduluri, S., Heninger, N.: Factoring as a service
Yang, H., Osterweil, E., Massey, D., Lu, S., Zhang, L.: Deploying cryptography in internet-scale systems: a case study on DNSSEC. IEEE Trans. Dependable Secur. Comput. 8(5), 656–669 (2011)
Acknowledgments
The research reported in this paper has been supported by the German Federal Ministry of Education and Research (BMBF) and by the Hessian Ministry of Science and the Arts within CRISP www.crisp-da.de/.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Dai, T., Shulman, H., Waidner, M. (2016). DNSSEC Misconfigurations in Popular Domains. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_43
Download citation
DOI: https://doi.org/10.1007/978-3-319-48965-0_43
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48964-3
Online ISBN: 978-3-319-48965-0
eBook Packages: Computer ScienceComputer Science (R0)