Jeff Sedayao

Quantifying and Improving DNSSEC Availability

The Domain Name System (DNS) is a foundational component of todays Internet for mapping Internet names to addresses. With the DNS Security Extensions (DNSSEC) DNS responses can be cryptographically verified to prevent malicious tampering. The protocol complexity and administrative overhead associated with DNSSEC can significantly impact the potential for name resolution failure. We present metrics for assessing the quality of a DNSSEC deployment, based on its potential for resolution failure in the presence of DNSSEC misconfiguration. We introduce a metric to analyze the administrative complexity of a DNS configuration, which contributes to its failure potential. We then discuss a technique which uses soft anchoring to increase robustness in spite of misconfigurations. We analyze a representative set of production signed DNS zones and determine that 28% of the validation failures we encountered would be mitigated by the soft anchoring technique we propose.

World Wide Web network traffic patterns

The World Wide Web (WWW) generates a significant and growing portion of traffic on the Internet. With the click of a mouse button, a person browsing on the WWW can generate megabytes of multimedia network traffic. WWWs growth and possible network impact merit a study of its traffic patterns, problems, and possible changes. This paper attempts to characterize World Wide Web traffic patterns. First, the Webs HyperText Transfer Protocol (HTTP) is reviewed, with particular attention to latency factors. User access patterns and file size distribution are then described. Next, the HTTP design issues are discussed, followed by a section on proposed revisions. Benefits and drawbacks to each of the proposals are covered. The paper ends with pointers toward more information on this area.

An Architectural Vision for a Data-Centric IoT: Rethinking Things, Trust and Clouds

The Internet of Things (IoT) is producing a tidal wave of data, much of it originating at the network edge, from applications with requirements unmet by the traditional back-end Cloud architecture. To address the disruption caused by the overabundance of data, this paper offers a holistic data-centric architectural vision for the data-centric IoT. It advocates that we rethink our approach to the design and definition of key elements: that we shift our focus from Things to Smart Objects; grow Trust organically; and evolve back-end Clouds toward Edge and Fog clouds, which leverage data-centric networks and enable optimal handling of upstream data flows. Along the way, we wax poetic about several blue-sky topics, assess the status of these elements in the context of related work, and identify known gaps in meeting this vision.

Measuring Availability in the Domain Name System

The domain name system (DNS) is critical to Internet functionality. The availability of a domain name refers to its ability to be resolved correctly. We develop a model for server dependencies that is used as a basis for measuring availability. We introduce the minimum number of servers queried (MSQ) and redundancy as availability metrics and show how common DNS misconfigurations impact the availability of domain names. We apply the availability model to domain names from production DNS and observe that 6.7% of names exhibit sub-optimal MSQ, and 14% experience false redundancy. The MSQ and redundancy values can be optimized by proper maintenance of delegation records for zones.

Quality of name resolution in the Domain Name System

The Domain Name System (DNS) is integral to todays Internet. Name resolution for a domain is often dependent on servers well outside the control of the domains owner. In this paper we propose a formal model for analyzing the name dependencies inherent in DNS, based on protocol specification and actual implementations. We derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, the name resolution for over one-half of the queries exhibits influence of domains not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. The model presented in the paper also shows that the set of domains whose resolution affects a given domain name is much smaller than previously thought. The model also shows that with caching of NS target addresses, the number of influential domains expands greatly, thereby making the DNS infrastructure more vulnerable.

Quantifying DNS namespace influence

Name resolution using the Domain Name System (DNS) is integral to todays Internet. The resolution of a domain name is often dependent on namespace outside the control of the domains owner. In this article we review the DNS protocol and several DNS server implementations. Based on our examination, we propose a formal model for analyzing the name dependencies inherent in DNS. Using our name dependency model we derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, more than half of the queries for a domain name are influenced by namespaces not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. When we apply metrics from our model to production DNS data, we show that the set of domains whose resolution affects a given domain name is much smaller than previously thought. However, behaviors such as using cached addresses for querying authoritative servers and chaining domain name aliases increase the number and diversity of influential domains, thereby making the DNS infrastructure more vulnerable.