Casey T. Deccio

Quantifying and Improving DNSSEC Availability

The Domain Name System (DNS) is a foundational component of todays Internet for mapping Internet names to addresses. With the DNS Security Extensions (DNSSEC) DNS responses can be cryptographically verified to prevent malicious tampering. The protocol complexity and administrative overhead associated with DNSSEC can significantly impact the potential for name resolution failure. We present metrics for assessing the quality of a DNSSEC deployment, based on its potential for resolution failure in the presence of DNSSEC misconfiguration. We introduce a metric to analyze the administrative complexity of a DNS configuration, which contributes to its failure potential. We then discuss a technique which uses soft anchoring to increase robustness in spite of misconfigurations. We analyze a representative set of production signed DNS zones and determine that 28% of the validation failures we encountered would be mitigated by the soft anchoring technique we propose.

Measuring Availability in the Domain Name System

The domain name system (DNS) is critical to Internet functionality. The availability of a domain name refers to its ability to be resolved correctly. We develop a model for server dependencies that is used as a basis for measuring availability. We introduce the minimum number of servers queried (MSQ) and redundancy as availability metrics and show how common DNS misconfigurations impact the availability of domain names. We apply the availability model to domain names from production DNS and observe that 6.7% of names exhibit sub-optimal MSQ, and 14% experience false redundancy. The MSQ and redundancy values can be optimized by proper maintenance of delegation records for zones.

Maintenance, mishaps and mending in deployments of the domain name system security extensions (DNSSEC)

The Domain Name System Security Extensions (DNSSEC) add an element of authentication to the DNS, which is a foundational component of the Internet. However, the maintenance of a DNSSEC deployment is more complex than that of its insecure counterpart. This paper discusses some specific misconfigurations that impact DNSSEC deployments, analyzes their prevalence via an extended survey of production DNS zones implementing DNSSEC, and assesses the maintenance and corrective actions. Our survey indicated that more than one-half of the zones analyzed were affected by misconfigurations. Also, the survey revealed a significant number of repeat occurrences and average correction times of up to two weeks. This paper summarizes the survey findings and suggests approaches for improving the quality of DNSSEC deployments.

Security and Robustness in the Internet Infrastructure

Security and robustness of the Internet infrastructure is essential for ensuring that the online services operate as expected. The essential components of Internet infrastructure include the Domain Name System (DNS) that provides translation between user friendly names and network addresses, inter- and intra-domain routing at the IP level, layer-2 switching, Quality of Service provisioning, and infrastructure security protocols such as IPsec and SSL. In this chapter, we discuss the security and robustness issues connected with these aspects of the Internet. We also address the issue of increasing configuration complexity and the resultant misconfigurations that are becoming a major source of vulnerability and undesired behavior. We present some generic vulnerabilities in this area and schemes to address them.

A study of the suitability of IrOBEX for high-speed exchange of large data objects

This paper demonstrates that careful tuning of the OBEX and IrLAP negotiated parameters allows OBEX to scale well for use with large data objects and high transmission rates. Due to the substantial time overhead inherent in link turnarounds, minimizing turnarounds during the transmission of a large object helps to maximize link efficiency. The IrLAP window size and OBEX packet size significantly impact the number of required turnarounds during the transmission of a large object. When these parameters are properly tuned, maximum throughput can be achieved, and OBEX performs efficiently at high data rates.

Quality of name resolution in the Domain Name System

The Domain Name System (DNS) is integral to todays Internet. Name resolution for a domain is often dependent on servers well outside the control of the domains owner. In this paper we propose a formal model for analyzing the name dependencies inherent in DNS, based on protocol specification and actual implementations. We derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, the name resolution for over one-half of the queries exhibits influence of domains not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. The model presented in the paper also shows that the set of domains whose resolution affects a given domain name is much smaller than previously thought. The model also shows that with caching of NS target addresses, the number of influential domains expands greatly, thereby making the DNS infrastructure more vulnerable.

Quantifying DNS namespace influence

Name resolution using the Domain Name System (DNS) is integral to todays Internet. The resolution of a domain name is often dependent on namespace outside the control of the domains owner. In this article we review the DNS protocol and several DNS server implementations. Based on our examination, we propose a formal model for analyzing the name dependencies inherent in DNS. Using our name dependency model we derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, more than half of the queries for a domain name are influenced by namespaces not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. When we apply metrics from our model to production DNS data, we show that the set of domains whose resolution affects a given domain name is much smaller than previously thought. However, behaviors such as using cached addresses for querying authoritative servers and chaining domain name aliases increase the number and diversity of influential domains, thereby making the DNS infrastructure more vulnerable.