Computing That Serves

Modeling DNS Security: Misconfiguration, Availability, and Visualization


Thursday, September 9, 2010 - 11:00am


Casey T. Deccio
Senior Member of Technical Staff
Sandia National Laboratories


Mark Clement

The Domain Name System (DNS) is one of the components most critical to Internet functionality.  The ubiquity of the DNS necessitates both the accuracy and availability of responses.  While the DNS Security Extensions (DNSSEC) add authentication to the DNS, they also increase the complexity of an already complex name resolution system.  Many deployments have suffered from server misconfiguration or maintenance neglect which increase the likelihood of name resolution failure for a domain name, even if servers are responsive.

Our research introduces metrics for quantifying DNSSEC availability and evaluates these metrics on production signed DNS zones to show the pervasiveness of misconfiguration.  We present methodology for increasing robustness of name resolution in the presence of DNSSEC misconfiguration.  In our survey of production signed zones, we observe that nearly one-third of the validation errors detected might be mitigated using the technique proposed in our research.

As part of my talk, I will also demo an online DNS visualization tool designed to assist administrators in identifying critical issues with their DNSSEC deployments.

This is joint work with researchers at UC Davis and Intel Corporation.


Casey Deccio is a Senior Member of Technical Staff at Sandia National Laboratories in Livermore, CA.  He joined Sandia in 2004 after receiving his BS and MS degrees in Computer Science from Brigham Young University, and he is currently a PhD candidate at the University of California, Davis.  Casey's research interests lie primarily in modeling and availability analysis of DNS and DNSSEC, and he leads Sandia's DNSSEC deployment efforts.