• DocumentCode
    623534
  • Title

    A technique for counting DNSSEC validators

  • Author

    Fukuda, Kenji ; Sato, Seiki ; Mitamura, Takeshi

  • Author_Institution
    Nat. Inst. of Inf., Tokyo, Japan
  • fYear
    2013
  • fDate
    14-19 April 2013
  • Firstpage
    80
  • Lastpage
    84
  • Abstract
    The DNS security extensions (DNSSEC) is a new feature of DNS that provides an authentication mechanism that is now being deployed worldwide. However, we do not have enough knowledge about the deployment status of DNSSEC in the wild due to the difficulty of identifying DNSSEC validators (caching validating resolvers). In this paper, a simple and robust method is proposed that estimates DNSSEC validators from DNS query data passively measured at the server side. The key idea of the estimation method relies on the query patterns of the original query and the DNSSEC queries triggered by the original query, which is the ratio of the number of DS queries to the number of total queries per host (DSR: DS ratio). To show the effectiveness of the proposed method, we analyze passive traffic traces measured for all the “.jp” servers and actively send DNSSEC validation requests to caching resolvers that appear in the traces to obtain the ground truth data of DNSSEC validators. Our results of the active measurement reveal that less than 50% of the potential DNSSEC validators were validating caching resolvers in the wild; the remainder was related to stub validators (e.g., browser plugins) behind non-validating caching resolvers. Thus, simple IP address-based counts overestimated the number of DNSSEC validators in an investigation of the deployment of DNSSEC at the organization level (e.g., ISPs). Then, we demonstrate the effectiveness of the DSR by using the active and passive traffic traces. In summary, the ratio of validating caching resolvers in our dataset was estimated to be approximately 70% of the potential DNSSEC validators, and also 15-20% of the ASes sending DNSSEC queries were overestimated as ones with validating caching resolvers. In particular, our results show that some ASes providing public DNS service had few validating caching resolvers though they had a large number of hosts sending DNSSEC queries.
  • Keywords
    Internet; query processing; security of data; DNS query data; DNS security extensions; DNSSEC validators; DS queries; authentication mechanism; nonvalidating caching resolvers; query patterns; simple IP address-based counts; IP networks; Internet; Organizations; Robustness; Security; Servers; Software;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    INFOCOM, 2013 Proceedings IEEE
  • Conference_Location
    Turin
  • ISSN
    0743-166X
  • Print_ISBN
    978-1-4673-5944-3
  • Type

    conf

  • DOI
    10.1109/INFCOM.2013.6566739
  • Filename
    6566739