Casey Deccio, Modeling DNS Security: Misconfiguration, Availability, and Visualization
The Domain Name System (DNS) is one of the components most critical toInternet functionality. The ubiquity of the DNS necessitates both theaccuracy and availability of responses. While the DNS SecurityExtensions (DNSSEC) add authentication to the DNS, they also increasethe complexity of an already complex name resolution system. Manydeployments have suffered from server misconfiguration or maintenanceneglect which increase the likelihood of name resolution failure for adomain name, even if servers are responsive.Our research introduces metrics for quantifying DNSSEC availability andevaluates these metrics on production signed DNS zones to show thepervasiveness of misconfiguration. We present methodology forincreasing robustness of name resolution in the presence of DNSSECmisconfiguration. In our survey of production signed zones, we observethat nearly one-third of the validation errors detected might bemitigated using the technique proposed in our research.As part of my talk, I will also demo an online DNS visualization tooldesigned to assist administrators in identifying critical issues withtheir DNSSEC deployments.This is joint work with researchers at UC Davis and Intel Corporation. About the speaker: Casey Deccio is a Senior Member of Technical Staff at Sandia NationalLaboratories in Livermore, CA. He joined Sandia in 2004 after receivinghis BS and MS degrees in Computer Science from Brigham Young University,and he received his PhD in Computer Science from the University ofCalifornia, Davis in 2010. Casey's research interests lie primarily inmodeling and availability analysis of DNS and DNSSEC, and he leadsSandia's DNSSEC deployment efforts.
Create your
podcast in
minutes
It is Free