Abstract
The Domain Name System (DNS) Security Extensions (DNSSEC) introduced additional DNS records (NSEC or NSEC3 records) into negative DNS responses, which records can prove there is no translation for a queried domain name. We introduce a novel technique to estimate the size of a DNS zone by analyzing the NSEC3 records returned by only a small number of DNS queries issued. We survey the prevalence of the deployment of different variants of DNSSEC negative responses across a large set of DNSSEC-signed zones in the wild, and identify over 50% as applicable to our measurement technique. Of the applicable zones, we show that 99% are composed of fewer than 40 names.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
BIND open source DNS server. https://www.isc.org/downloads/bind/
Centralized Zone Data Service. https://czds.icann.org/
Domains index. https://domains-index.com/
The Internet Foundation in Sweden. https://www.iis.se/
Public Interest Registry. https://pir.org/
Verisign. https://www.verisign.com/
Andrews, M.: RFC 2308: negative caching of DNS queries (DNS NCACHE), March 1998
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033: DNS security introduction and requirements, March 2005
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034: resource records for the DNS security extensions, March 2005
Bird, S., Loper, E., Klein, E.: Natural Language Processing with Python. O’Reilly Media Inc., Sebastopol (2009)
Deccio, C., Chen, C.C., Mohapatra, P., Sedayao, J., Kant, K.: Quality of name resolution in the domain name system. In: 2009 17th IEEE International Conference on Network Protocols, October 2009
DNSCurve: DNSCurve: Usable security for DNS. http://dnscurve.org/nsec3walker.html
Elz, R., Bush, R.: RFC 2181: clarifications to the DNS specification, July 1997
Gardiner, C.: Stochastic Methods: A Handbook for the Natural and Social Sciences. Springer, Heidelberg (2009)
Goldberg, S., Naor, M., Papadopoulos, D., Reyzin, L., Vasant, S., Ziv, A.: NSEC5: provably preventing DNSSEC zone enumeration. In: NDSS 2015, February 2015
Grant, D.: Economical with the truth: making DNSSEC answers cheap. https://blog.cloudflare.com/black-lies/
Josefsson, S.: RFC 4648: the base16, base32, and base64 data encodings, October 2006
Kaminsky, D.: Phreebird. https://dankaminsky.com/phreebird/
Mockapetris, P.: RFC 1034: domain names - concepts and facilities, November 1987
Mockapetris, P.: RFC 1035: domain names - implementation and specification, November 1987
Osterweil, E., Ryan, M., Massey, D., Zhang, L.: Quantifying the operational status of the DNSSEC deployment. In: Proceedings of the 6th ACM/USENIX Internet Measurement Conference (IMC 2008), October 2008
Ramasubramanian, V., Sirer, E.G.: Perils of transitive trust in the domain name system. In: IMC 2005 Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, October 2015
Sisson, G., Arends, R., Blacka, D.: RFC 5155: DNS security (DNSSEC) hashed authenticated denial of existence, March 2008
Wander, M., Schwittmann, L., Boelmann, C., Weis, T.: GPU-based NSEC3 hash breaking. In: 2014 IEEE 13th International Symposium on Network Computing and Applications. IEEE, August 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Demke, J., Deccio, C. (2019). On DNSSEC Negative Responses, Lies, and Zone Size Detection. In: Choffnes, D., Barcellos, M. (eds) Passive and Active Measurement. PAM 2019. Lecture Notes in Computer Science(), vol 11419. Springer, Cham. https://doi.org/10.1007/978-3-030-15986-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-15986-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-15985-6
Online ISBN: 978-3-030-15986-3
eBook Packages: Computer ScienceComputer Science (R0)