Check-Repeat: A new method of measuring DNSSEC validating resolvers

As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DN...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Hauptverfasser:	Yingdi Yu, Wessels, Duane, Larson, Matt, Lixia Zhang
Format:	Tagungsbericht
Sprache:	eng
Schlagworte:	Browsers Conferences IP networks Monitoring Probes Public key Servers
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	3152
container_issue
container_start_page	3147
container_title
container_volume
creator	Yingdi Yu Wessels, Duane Larson, Matt Lixia Zhang
description	As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries. We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from .COM and .NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet.
doi_str_mv	10.1109/INFCOM.2013.6567129
format	Conference Proceeding
fullrecord	<record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_6567129</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6567129</ieee_id><sourcerecordid>6567129</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-b8e7712ea403908f5f812e434eba25e3ed3608cc8339a10dedf7751b0ca9698e3</originalsourceid><addsrcrecordid>eNpVUMtOwkAUHV-JDfYL2MwPDN7pvN2RCkqCkIgm7si0vZVqoaRTMP69NbJxdV7JyckhZMhhxDm429limi6fRglwMdJKG564MxI7Y7nURignFZyTKNGSM2eNvPiXSXFJIjBSMK712zWJQ_gAgL5YJxYikqYbzD_ZM-7Rd3d0THf4RbfYbZqCNmXPfDi01e6d3i9Wq0lKj76uCt_9Oi2Gpj5iG27IVenrgPEJB-R1OnlJH9l8-TBLx3NWcaM6llk0_Xj0EoQDW6rS9koKiZlPFAoshAab51YI5zkUWJTGKJ5B7p12FsWADP96K0Rc79tq69vv9ekS8QPjJU-W</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Check-Repeat: A new method of measuring DNSSEC validating resolvers</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Yingdi Yu ; Wessels, Duane ; Larson, Matt ; Lixia Zhang</creator><creatorcontrib>Yingdi Yu ; Wessels, Duane ; Larson, Matt ; Lixia Zhang</creatorcontrib><description>As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries. We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from .COM and .NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet.</description><identifier>ISSN: 0743-166X</identifier><identifier>ISBN: 9781467359443</identifier><identifier>ISBN: 1467359440</identifier><identifier>EISSN: 2641-9874</identifier><identifier>EISBN: 9781467359450</identifier><identifier>EISBN: 9781467359467</identifier><identifier>EISBN: 1467359467</identifier><identifier>EISBN: 1467359459</identifier><identifier>DOI: 10.1109/INFCOM.2013.6567129</identifier><language>eng</language><publisher>IEEE</publisher><subject>Browsers ; Conferences ; IP networks ; Monitoring ; Probes ; Public key ; Servers</subject><ispartof>2013 Proceedings IEEE INFOCOM, 2013, p.3147-3152</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6567129$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,2051,27904,54899</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6567129$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Yingdi Yu</creatorcontrib><creatorcontrib>Wessels, Duane</creatorcontrib><creatorcontrib>Larson, Matt</creatorcontrib><creatorcontrib>Lixia Zhang</creatorcontrib><title>Check-Repeat: A new method of measuring DNSSEC validating resolvers</title><title>2013 Proceedings IEEE INFOCOM</title><addtitle>INFCOM</addtitle><description>As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries. We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from .COM and .NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet.</description><subject>Browsers</subject><subject>Conferences</subject><subject>IP networks</subject><subject>Monitoring</subject><subject>Probes</subject><subject>Public key</subject><subject>Servers</subject><issn>0743-166X</issn><issn>2641-9874</issn><isbn>9781467359443</isbn><isbn>1467359440</isbn><isbn>9781467359450</isbn><isbn>9781467359467</isbn><isbn>1467359467</isbn><isbn>1467359459</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2013</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNpVUMtOwkAUHV-JDfYL2MwPDN7pvN2RCkqCkIgm7si0vZVqoaRTMP69NbJxdV7JyckhZMhhxDm429limi6fRglwMdJKG564MxI7Y7nURignFZyTKNGSM2eNvPiXSXFJIjBSMK712zWJQ_gAgL5YJxYikqYbzD_ZM-7Rd3d0THf4RbfYbZqCNmXPfDi01e6d3i9Wq0lKj76uCt_9Oi2Gpj5iG27IVenrgPEJB-R1OnlJH9l8-TBLx3NWcaM6llk0_Xj0EoQDW6rS9koKiZlPFAoshAab51YI5zkUWJTGKJ5B7p12FsWADP96K0Rc79tq69vv9ekS8QPjJU-W</recordid><startdate>201304</startdate><enddate>201304</enddate><creator>Yingdi Yu</creator><creator>Wessels, Duane</creator><creator>Larson, Matt</creator><creator>Lixia Zhang</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>201304</creationdate><title>Check-Repeat: A new method of measuring DNSSEC validating resolvers</title><author>Yingdi Yu ; Wessels, Duane ; Larson, Matt ; Lixia Zhang</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-b8e7712ea403908f5f812e434eba25e3ed3608cc8339a10dedf7751b0ca9698e3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2013</creationdate><topic>Browsers</topic><topic>Conferences</topic><topic>IP networks</topic><topic>Monitoring</topic><topic>Probes</topic><topic>Public key</topic><topic>Servers</topic><toplevel>online_resources</toplevel><creatorcontrib>Yingdi Yu</creatorcontrib><creatorcontrib>Wessels, Duane</creatorcontrib><creatorcontrib>Larson, Matt</creatorcontrib><creatorcontrib>Lixia Zhang</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Yingdi Yu</au><au>Wessels, Duane</au><au>Larson, Matt</au><au>Lixia Zhang</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Check-Repeat: A new method of measuring DNSSEC validating resolvers</atitle><btitle>2013 Proceedings IEEE INFOCOM</btitle><stitle>INFCOM</stitle><date>2013-04</date><risdate>2013</risdate><spage>3147</spage><epage>3152</epage><pages>3147-3152</pages><issn>0743-166X</issn><eissn>2641-9874</eissn><isbn>9781467359443</isbn><isbn>1467359440</isbn><eisbn>9781467359450</eisbn><eisbn>9781467359467</eisbn><eisbn>1467359467</eisbn><eisbn>1467359459</eisbn><abstract>As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries. We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from .COM and .NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet.</abstract><pub>IEEE</pub><doi>10.1109/INFCOM.2013.6567129</doi><tpages>6</tpages></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 0743-166X
ispartof	2013 Proceedings IEEE INFOCOM, 2013, p.3147-3152
issn	0743-166X 2641-9874
language	eng
recordid	cdi_ieee_primary_6567129
source	IEEE Electronic Library (IEL) Conference Proceedings
subjects	Browsers Conferences IP networks Monitoring Probes Public key Servers
title	Check-Repeat: A new method of measuring DNSSEC validating resolvers
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-21T19%3A15%3A31IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Check-Repeat:%20A%20new%20method%20of%20measuring%20DNSSEC%20validating%20resolvers&rft.btitle=2013%20Proceedings%20IEEE%20INFOCOM&rft.au=Yingdi%20Yu&rft.date=2013-04&rft.spage=3147&rft.epage=3152&rft.pages=3147-3152&rft.issn=0743-166X&rft.eissn=2641-9874&rft.isbn=9781467359443&rft.isbn_list=1467359440&rft_id=info:doi/10.1109/INFCOM.2013.6567129&rft_dat=%3Cieee_6IE%3E6567129%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9781467359450&rft.eisbn_list=9781467359467&rft.eisbn_list=1467359467&rft.eisbn_list=1467359459&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=6567129&rfr_iscdi=true