Large-scale measurement and analysis on misconfigurations of DNSSEC from recursive side

Large-scale measurement and analysis on misconfigurations of DNSSEC from recursive side

Domain name system security extensions (DNSSEC) was a secure extension protocol for the domain name system (DNS), which enhanced DNS security by adding signatures to DNS records. It was very important to ensure the security of the entire DNS that the domain name recursive server could effectively ve...

Full description

Saved in:
Bibliographic Details
Main Authors: LIU Linhui, TU Feifan, CHEN Yong, ZUO Peng, LIU Dongjie, ZHANG Yinyan, GENG Guanggang
Format: Article
Language:English
Published: POSTS&TELECOM PRESS Co., LTD 2024-10-01
Series:网络与信息安全学报
Subjects:
DNS
DNSSEC
misconfiguration detection
recursive server
Online Access:http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2024068
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Domain name system security extensions (DNSSEC) was a secure extension protocol for the domain name system (DNS), which enhanced DNS security by adding signatures to DNS records. It was very important to ensure the security of the entire DNS that the domain name recursive server could effectively verify the correctness of the DNSSEC configuration and return the corresponding error type when the configuration was wrong. For this purpose, building upon the RFC 8914 standard, eight configurable error types were selected and corresponding DNSSEC errors were configured in eight different subdomains. Next, the recursive server supporting DNSSEC was selected as the probe object for the global public DNS server, and the resolution requests were launched for the aforementioned eight subdomains, and the probe results were collected, analyzed, and visualized. Experiments showed that most recursive servers that supported DNSSEC could correctly detect the DNSSEC misconfiguration of domain names and return the corresponding error type for some errors such as signature_expired, signature_not_valid, RRSIG_missing, DNSKEY_missing, and so on. This large-scale detection and analysis provided valuable insights into the capabilities of important recursive servers worldwide in validating DNSSEC configurations, guiding future efforts in enhancing DNSSEC deployment on the recursive side.
ISSN:2096-109X

Similar Items