Abstract
The Domain Name System (DNS) Security Extensions (DNSSEC) introduced additional DNS records (NSEC or NSEC3 records) into negative DNS responses, which records can prove there is no translation for a queried domain name. We introduce a novel technique to estimate the size of a DNS zone by analyzing the NSEC3 records returned by only a small number of DNS queries issued. We survey the prevalence of the deployment of different variants of DNSSEC negative responses across a large set of DNSSEC-signed zones in the wild, and identify over 50% as applicable to our measurement technique. Of the applicable zones, we show that 99% are composed of fewer than 40 names.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
BIND open source DNS server. https://www.isc.org/downloads/bind/
Centralized Zone Data Service. https://czds.icann.org/
Domains index. https://domains-index.com/
The Internet Foundation in Sweden. https://www.iis.se/
Public Interest Registry. https://pir.org/
Verisign. https://www.verisign.com/
Andrews, M.: RFC 2308: negative caching of DNS queries (DNS NCACHE), March 1998
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033: DNS security introduction and requirements, March 2005
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034: resource records for the DNS security extensions, March 2005
Bird, S., Loper, E., Klein, E.: Natural Language Processing with Python. O’Reilly Media Inc., Sebastopol (2009)
Deccio, C., Chen, C.C., Mohapatra, P., Sedayao, J., Kant, K.: Quality of name resolution in the domain name system. In: 2009 17th IEEE International Conference on Network Protocols, October 2009
DNSCurve: DNSCurve: Usable security for DNS. http://dnscurve.org/nsec3walker.html
Elz, R., Bush, R.: RFC 2181: clarifications to the DNS specification, July 1997
Gardiner, C.: Stochastic Methods: A Handbook for the Natural and Social Sciences. Springer, Heidelberg (2009)
Goldberg, S., Naor, M., Papadopoulos, D., Reyzin, L., Vasant, S., Ziv, A.: NSEC5: provably preventing DNSSEC zone enumeration. In: NDSS 2015, February 2015
Grant, D.: Economical with the truth: making DNSSEC answers cheap. https://blog.cloudflare.com/black-lies/
Josefsson, S.: RFC 4648: the base16, base32, and base64 data encodings, October 2006
Kaminsky, D.: Phreebird. https://dankaminsky.com/phreebird/
Mockapetris, P.: RFC 1034: domain names - concepts and facilities, November 1987
Mockapetris, P.: RFC 1035: domain names - implementation and specification, November 1987
Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the DNSSEC deployment. In: Proceedings of the 6th ACM/USENIX Internet Measurement Conference (IMC 2008), October 2008
Ramasubramanian, V., Sirer, E.G.: Perils of transitive trust in the domain name system. In: IMC 2005 Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, October 2015
Sisson, G., Arends, R., Blacka, D.: RFC 5155: DNS security (DNSSEC) hashed authenticated denial of existence, March 2008
Wander, M., Schwittmann, L., Boelmann, C., Weis, T.: GPU-based NSEC3 hash breaking. In: 2014 IEEE 13th International Symposium on Network Computing and Applications. IEEE, August 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Demke, J., Deccio, C. (2019). On DNSSEC Negative Responses, Lies, and Zone Size Detection. In: Choffnes, D., Barcellos, M. (eds) Passive and Active Measurement. PAM 2019. Lecture Notes in Computer Science(), vol 11419. Springer, Cham. https://doi.org/10.1007/978-3-030-15986-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-15986-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-15985-6
Online ISBN: 978-3-030-15986-3
eBook Packages: Computer ScienceComputer Science (R0)