Speaker
Description
DNSSEC was introduced in 1999 to prevent DNS spoofing and on-path tampering attacks. However, due to the complexity of DNSSEC deployment and management, its popularity remains modest to this day. In this work, we deep dive into the post-deployment complexities of DNSSEC leveraging 1.4 million historical diagnostic snapshots for 319K SLDs and their subdomains obtained from the DNSViz service.
According to our findings, many domain administrators use the DNSViz service to repair their zones or for initial DNSSEC deployment. Our study shows that certain common errors like usage of nonzero iteration count in NSEC3 parameter, missing proper non-existence proofs or signatures, and delegation failures account for more than 70% of all bogus states.
Using these insights, we introduce a semi-automated DNSSEC misconfiguration resolution pipeline called DFixer that transforms multiple complex error codes to a simple root cause and generates both high-level instructions and concrete BIND commands to fix them. We evaluated our pipeline using a custom ZReplicator tool that automatically replicates bogus zones and demonstrated that 99.99% of these erroneous zones can be resolved successfully.
| Talk duration | 15 Minutes (pre-recorded no Q&A) |
|---|---|
| Other conferences? | ACM Internet Measurement Conference 2025 |
