Abstract

This paper examines the deployment of the DNS Security Extensions (DNSSEC), which adds cryptographic protection to DNS, one of the core components in the Internet infrastructure. We analyze the data collected from the initial DNSSEC deployment which started over 2 years ago, and identify three critical metrics to gauge the deployment: availability, verifiability, and validity. Our results provide the first comprehensive look at DNSSEC's deployment and reveal a number of challenges that were not anticipated in the design but have become evident in the deployment. First, obstacles such as middle-boxes (firewalls, NATs, etc.) that exist in today's Internet infrastructure have proven to be problematic and have resulted in unforeseen availability problems. Second, the public-key delegation system of DNSSEC has not evolved as it was hoped and it currently leaves over 97% of DNSSEC zones isolated and unverifiable, unless some external key authentication mechanism is added. Furthermore, our results show that cryptographic verification is not equivalent to validation; a piece of verified data can still contain the wrong value. Finally, our results demonstrate the essential role of monitoring and measurement in the DNSSEC deployment. We believe that the observations and lessons from the DNSSEC deployment can provide insights into measuring future Internet-scale cryptographic systems.