Measuring Occurrence of DNSSEC Validation

“…We list the summary of validator identified over trace-I in Table II. The ratio of validators to total resolvers is 4.8%, which is close to the 4.5% measured by Wander and Weis [4] and 4.0% measured by Huston [5] using the rejection-of-bad-data technique.…”

“…However although fetching DNSKEY and DS records is necessary for performing DNSSEC validation, it is not a sufficient indicator and can introduce false positives. Our own measurement results and other previous work [4] show that many resolvers query for DNSKEY record but do not perform signature validation. Moreover, since .ORG's authoritative servers use anycast, it is difficult to assemble a complete trace of all the queries from a given resolver.…”

“…Unfortunately this method can potentially introduce false positive results. As reported by [4], about 1.6% of measured caching resolvers sent DNSKEY query, but did not validate data.…”

“…Huston [5] and Wander & Torben [4] looked for the absence of the use of intentionally bad data to detect a DNSSEC validator. For example, one can embed in a web page two images with different URLs and different hostnames.…”

“…Some other studies solved the second problem by combining the observations of end host behavior on both DNS queries and HTTP requests [4], [5]. As we discuss in Section VI, the effectiveness of this approach is confined to the resolvers that query for a specific domain name.…”

Check-Repeat: A new method of measuring DNSSEC validating resolvers

“…We list the summary of validator identified over trace-I in Table II. The ratio of validators to total resolvers is 4.8%, which is close to the 4.5% measured by Wander and Weis [4] and 4.0% measured by Huston [5] using the rejection-of-bad-data technique.…”

“…However although fetching DNSKEY and DS records is necessary for performing DNSSEC validation, it is not a sufficient indicator and can introduce false positives. Our own measurement results and other previous work [4] show that many resolvers query for DNSKEY record but do not perform signature validation. Moreover, since .ORG's authoritative servers use anycast, it is difficult to assemble a complete trace of all the queries from a given resolver.…”

“…Unfortunately this method can potentially introduce false positive results. As reported by [4], about 1.6% of measured caching resolvers sent DNSKEY query, but did not validate data.…”

“…Huston [5] and Wander & Torben [4] looked for the absence of the use of intentionally bad data to detect a DNSSEC validator. For example, one can embed in a web page two images with different URLs and different hostnames.…”

“…Some other studies solved the second problem by combining the observations of end host behavior on both DNS queries and HTTP requests [4], [5]. As we discuss in Section VI, the effectiveness of this approach is confined to the resolvers that query for a specific domain name.…”

Check-Repeat: A new method of measuring DNSSEC validating resolvers

EncDNS: A Lightweight Privacy-Preserving Name Resolution Service

Detection and Forensics of Domains Hijacking