Support - Help
Look-aside (At Your Own Risk): Privacy Implications of DNSSEC Look-aside Validation
The Domain Name System Security Extension (DNSSEC) today utilizes cryptographic methods to provide security features to DNS answers. However, due to the early adoption of DNSSEC, the number of secured domains is still small and islands of security are quite common. Thus, DNSSEC Look-aside Validation (DLV) is designed as an alternative off-path validation way. While privacy in DNS is attracting a lot of attention, no work is focused on DNSSEC and DLV. To this end, in this talk we introduce a first in-depth look at the privacy leakage in DLV. Using various experimental settings, our findings firmly confirm the privacy leakage in DLV. In particular, we find that a large number of domain names is leaked to a third party when using DLV, while the utility value for DLV to users is very minimal. We discuss the implications, and provide a simple fix to the problem.