September 29, 2017 to October 3, 2017
Fairmont San Jose
US/Pacific timezone

Quantifying the Quality of DNSSEC Validation in the Wild

Sep 29, 2017, 10:25 AM
Regency 2 Ballroom (Fairmont San Jose)

Regency 2 Ballroom

Fairmont San Jose

170 S Market Street, San Jose, 95113, CA, USA
Standard Presentation Public Workshop Public Workshop


Mr Moritz Müller (SIDN)


The Root Canary Project has the goal to monitor and measure the rollover of the DNSSEC root KSK. In this project we use over 9000 RIPE Atlas probes and ten-thousands of vantage point of the Luminati VPN network to continuously monitor recursive resolvers during the 9 months period of the rollover. From each vantage point we query for testing domains that have bogus and valid signatures of the 12 DNSSEC algorithms that are standardized by the IETF. Thereby we can measure how recursive resolvers behave, for example, when the new KSK of the root becomes active. Additionally, we gain operational insights into the behavior of recursive resolvers in the wild that go beyond the root KSK rollover. For example, we now know that the majority of the observed validating resolvers are stable and that some resolver implementations have incorrect behavior when they encounter certain DNSSEC algorithms. In this presentation we want dig deeper in the support of DNSSEC algorithms and want to show how well recursive resolvers in the wild support the different signing algorithms, try to explain why some fail, and compare these results with the actual deployment of DNSSEC in major gTLDs and ccTLDs. Until the 27th DNS-OARC workshop, we will have over 3 months of continuous measurements at our disposal. We want to invite the community to provide feedback to our measurements and help us to improve our ground truth data set. Therefore we want to introduce a small tool with which operators can contribute to the Root Canary Project and to studies like the one presented.


In this presentation we want to show how recursive resolvers
in the wild support the wide range of different DNSSEC algorithms. We want to
discuss how well new algorithms are supported, how stable resolvers validate
over time, and compare our results with the deployment of DNSSEC in different
TLDs. This study is based on the Root Canary Project and we would also like to
invite operators to provide feedback and ground truth data to our

Talk Duration 30 Minutes

Primary author

Presentation materials