TY - JOUR
T1 - A measurement study of DNSSEC misconfigurations
AU - van Adrichem, NLM
AU - Blenn, N
AU - Reyes Lua, A
AU - Wang, X.
AU - Wasif, M
AU - Fatturrahman, Ficky
AU - Kuipers, F.A.
PY - 2015/10/19
Y1 - 2015/10/19
N2 - DNSSEC offers protection against spoofing of DNS data by providing origin authentication, ensuring data integrity and authentication of non-existence by using public-key cryptography. Although the relevance of securing a technology as crucial to the Internet as DNS is obvious, the DNSSEC implementation increases the complexity of the deployed DNS infrastructure, which may result in misconfiguration. In this article, we measure and analyze the misconfigurations for domains in six zones (.bg, .br, .co, .com, .nl and .se). Furthermore, we categorize these misconfigurations and provide an explanation for their possible causes. Finally, we evaluate the effects of misconfigurations on the reachability of a zone’s network. Our results show that, although progress has been made in the implementation of DNSSEC, over 4 % of evaluated domains show misconfigurations. The domains with the most frequently appearing misconfiguration are often hosted at a very limited set of hosting providers. Of these misconfigured domains, almost 75 % were unreachable from a DNSSEC-aware resolver. This illustrates that although the authorities of a domain may think their DNS is secured, it is in fact not. Worse still, misconfigured domains are at risk of being unreachable from the clients who care about and implement DNSSEC verification, while the publisher may remain unaware of the error and its consequences.
AB - DNSSEC offers protection against spoofing of DNS data by providing origin authentication, ensuring data integrity and authentication of non-existence by using public-key cryptography. Although the relevance of securing a technology as crucial to the Internet as DNS is obvious, the DNSSEC implementation increases the complexity of the deployed DNS infrastructure, which may result in misconfiguration. In this article, we measure and analyze the misconfigurations for domains in six zones (.bg, .br, .co, .com, .nl and .se). Furthermore, we categorize these misconfigurations and provide an explanation for their possible causes. Finally, we evaluate the effects of misconfigurations on the reachability of a zone’s network. Our results show that, although progress has been made in the implementation of DNSSEC, over 4 % of evaluated domains show misconfigurations. The domains with the most frequently appearing misconfiguration are often hosted at a very limited set of hosting providers. Of these misconfigured domains, almost 75 % were unreachable from a DNSSEC-aware resolver. This illustrates that although the authorities of a domain may think their DNS is secured, it is in fact not. Worse still, misconfigured domains are at risk of being unreachable from the clients who care about and implement DNSSEC verification, while the publisher may remain unaware of the error and its consequences.
KW - DNS
KW - DNSSEC
KW - Domain Name System
KW - Authentication
KW - Integrity
KW - Misconfiguration
KW - Validation
KW - Signatures
KW - Error
KW - Unreachability
UR - http://resolver.tudelft.nl/uuid:b13ac9b3-7602-412f-bb1d-0cd6810bf246
U2 - 10.1186/s13388-015-0023-y
DO - 10.1186/s13388-015-0023-y
M3 - Article
SN - 2190-8532
VL - 4
SP - 1
EP - 6
JO - Security Informatics
JF - Security Informatics
IS - 8
ER -