[Semiar] A Longitudinal, End-to-End View of the DNSSEC Ecosystem
■호스트: 권태경 교수 (x9105, 880-9105)
The Domain Name System’s Security Extensions (DNSSEC) plays a critical role in allowing clients and resolvers to verify that DNS responses have not been spoofed or modified in-flight. DNSSEC uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. However, DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks: authoritative nameservers must generate and publish their keys and signatures correctly, parent zones must correctly sign their childrens’ keys, and resolvers must actually validate the chain of signatures. This paper performs the first large-scale, longitudinal measurement study into how well DNSSEC’s PKI is managed. We use data from all DNSSEC-enabled subdomains under the .com, .org, and .net TLDs for 21 months to analyze DNSSEC deployment and management by domains; we supplement this with active measurements of more than 59K DNS resolvers worldwide t o evaluate resolver-side validation. Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure, including: 31% of domains that support DNSSEC fail to publish all relevant records required for validation; 39% of the domains use insufficiently strong key-signing keys; and although 82% of resolvers in our study request DNSSEC records, only 12% of them attempt to actually validate them. These results highlight systemic problems that motivate improved automation and auditing of DNSSEC management.
Taejoong Chung is a post doc in the College of Computer and Information Science at Northeastern University. Taejoong earned his PhD in Computer Science from Seoul National University before joining CCIS. His research focuses on online social networks and using data to dig into social interactions; Internet security with a focus on SSL; and information-centric networking.