Title :
Quantifying and Improving DNSSEC Availability
Author :
Deccio, Casey ; Sedayao, Jeff ; Kant, Krishna ; Mohapatra, Prasant
Author_Institution :
Sandia Nat. Labs., Livermore, CA, USA
fDate :
July 31 2011-Aug. 4 2011
Abstract :
The Domain Name System (DNS) is a foundational component of today´s Internet for mapping Internet names to addresses. With the DNS Security Extensions (DNSSEC) DNS responses can be cryptographically verified to prevent malicious tampering. The protocol complexity and administrative overhead associated with DNSSEC can significantly impact the potential for name resolution failure. We present metrics for assessing the quality of a DNSSEC deployment, based on its potential for resolution failure in the presence of DNSSEC misconfiguration. We introduce a metric to analyze the administrative complexity of a DNS configuration, which contributes to its failure potential. We then discuss a technique which uses soft anchoring to increase robustness in spite of misconfigurations. We analyze a representative set of production signed DNS zones and determine that 28% of the validation failures we encountered would be mitigated by the soft anchoring technique we propose.
Keywords :
Internet; communication complexity; computer network reliability; computer network security; cryptographic protocols; DNS security extension; DNSSEC availability; DNSSEC deployment quality assessment; Internet names; administrative complexity; cryptographic verification; domain name system; malicious tampering prevention; name resolution failure; protocol complexity; Availability; Complexity theory; Internet; Measurement; Production; Security; Servers;
Conference_Titel :
Computer Communications and Networks (ICCCN), 2011 Proceedings of 20th International Conference on
Conference_Location :
Maui, HI
Print_ISBN :
978-1-4577-0637-0
DOI :
10.1109/ICCCN.2011.6005908
