Measuring DANE TLSA Deployment

  • Liang ZhuEmail author
  • Duane Wessels
  • Allison Mankin
  • John Heidemann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9053)


The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations—risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in .com and .net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7–13 % of TLSA records are invalid. We find 33 % of TLSA responses are larger than 1500 Bytes and will very likely be fragmented.


Domain Name System IPv6 Address Mail Server Transport Layer Security MITM Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    NLnetLabs. Ldns (ldns-dane).
  2. 2.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Dns security introduction and requirements. RFC 4033, March 2005Google Scholar
  3. 3.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol modifications for the dns security extensions. RFC 4035, March 2005Google Scholar
  4. 4.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource records for the dns security extensions. RFC 4034, March 2005Google Scholar
  5. 5.
    Bhat, S.: Gmail Users in Iran Hit by MITM Attacks, August 2011.
  6. 6.
    Comodo. Comodo Fraud Incident, March 2011.
  7. 7.
  8. 8.
    Deploy360 Porgramme. Dnssec statistics.
  9. 9.
    Dierks, T., Rescorla, E.: The transport layer security (tls) protocol version 1.2. RFC 5246, August 2008Google Scholar
  10. 10.
    DNSSEC/TLSA Validator.
  11. 11.
    Edward Bjarte Fjellskal. PassiveDNS tool.
  12. 12.
    Herzberg, A., Shulmanz, H.: Fragmentation considered poisonous. In: Proc. of IEEE Conference on Communications and Network Security (CNS), October 2013Google Scholar
  13. 13.
    Hoffman, P.: Smtp service extension for secure smtp over transport layer security. RFC 3207, February 2002Google Scholar
  14. 14.
    Hoffman, P., Schlyter, J.: The dns-based authentication of named entities (dane) transport layer security (tls) protocol: Tlsa. RFC 6698, August 2012Google Scholar
  15. 15.
    ICANN. The Centralized Zone Data Service.
  16. 16.
    Internet Systems Consortium. Internet domain survey, January 2008. web page
  17. 17.
    Kent, C.A., Mogul, J.C.: Fragmentation considered harmful. SIGCOMM Comput. Commun. Rev. 25(1), 75–87 (1995)CrossRefGoogle Scholar
  18. 18.
  19. 19.
    Mail Server Security Test.
  20. 20.
    Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, November 1987Google Scholar
  21. 21.
    Mockapetris, P.: Domain names–implementation and specification. RFC 1035, November 1987Google Scholar
  22. 22.
  23. 23.
    NIST. Estimating ipv6 and dnssec external service deployment status.
  24. 24.
  25. 25.
    Osterweil, E., Kaliski, B., Larson, M., McPherson, D.: Reducing the x. 509 attack surface with dnssecs dane. SATIN: Securing and Trusting Internet Names, March 2012Google Scholar
  26. 26.
    Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the dnssec deployment. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC 2008, pp. 231–242. ACM, New York, NY, USA (2008)Google Scholar
  27. 27.
    Saint-Andre, E.P.: Extensible messaging and presence protocol (xmpp): Core. RFC 3920, October 2004Google Scholar
  28. 28.
    Pennock, P.: XMPP & DANE with Prosody, May 2014.
  29. 29.
  30. 30.
    Schloesser, M., Gamble, B., Nickel, J., Guarnieri, C., Moore, H.: Project Sonar: IPv4 SSL Certificates, September 2014.
  31. 31.
    SIDN labs. Tlsa validator.
  32. 32.
    Streibelt, F., Böttger, J., Chatzis, N., Smaragdakis, G., Feldmann, A.: Exploring edns-client-subnet adopters in your free time. In Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 305–312. ACM, New York, NY, USA (2013)Google Scholar
  33. 33.
    van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Dnssec and its potential for ddos attacks: A comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, pp. 449–460. ACM, New York, NY, USA (2014)Google Scholar
  34. 34.
  35. 35.
    Verisign. Dnssec scoreboard.
  36. 36.
    Verisign. The Domain Name Industry Brief, December 2014.
  37. 37.
    Verisign Labs. Dane/tlsa demonstration.
  38. 38.
    Weaver, N., Kreibich, C., Nechaev, B., Xson, V.P.: Implications of netalyzr’s DNS measurements. In: Proc. of Workshop on Securing and Trusting Internet Names (SATIN), April 2011Google Scholar
  39. 39.
    Wouters, P.: Using dane to associate openpgp public keys with email addresses. Work in progress, February 2014 (draft-wouters-dane-openpgp-02)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Liang Zhu
    • 1
    Email author
  • Duane Wessels
    • 2
  • Allison Mankin
    • 2
  • John Heidemann
    • 1
  1. 1.University of Southern CaliforniaAngelesUS
  2. 2.Verisign LabsSan FranciscoUS

Personalised recommendations