Measuring DANE TLSA Deployment

Zhu, Liang and Wessels, Duane and Mankin, Allison and Heidemann, John
USC/Information Sciences Institute

citation

Liang Zhu, Duane Wessels, Allison Mankin and John Heidemann 2015. Measuring DANE TLSA Deployment. Proceedings of the 7th IEEE International Workshop on Traffic Monitoring and Analysis (Barcelona, Spain, Apr. 2015), 219–232. [DOI] [PDF] [Code]

abstract

The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations—risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in \url.com and \url.net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7–13% of TLSA records are invalid. We find 33% of TLSA responses are larger than 1500 Bytes and get IP fragmented.

reference

@inproceedings{Zhu15a,
  author = {Zhu, Liang and Wessels, Duane and Mankin, Allison and Heidemann, John},
  title = {Measuring {DANE} {TLSA} Deployment},
  booktitle = {Proceedings of the 7th IEEE International Workshop on Traffic Monitoring and Analysis},
  year = {2015},
  sortdate = {2015-04-01},
  project = {ant, tdns},
  jsubject = {dns},
  pages = {219--232},
  month = apr,
  address = {Barcelona, Spain},
  publisher = {Springer},
  jlocation = {johnh: pafile},
  keywords = {DANE TLSA, DNS, PKI},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15a.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15a.pdf},
  doi = {10.1007/978-3-319-17172-2_15},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {Springer},
  copyrightterms = {
  An author may self-archive an author-created version of his/her
  article on his/her own website and or in his/her institutional
  repository. He/she may also deposit this version on his/her funder's
  or funder's designated repository at the funder's request or as a
  result of a legal obligation, provided it is not made publicly
  available until 12 months after official publication. He/she may not
  use the publisher's PDF version, which is posted on
  \url{www.springerlink.com}, for the purpose of self-archiving or
  deposit. Furthermore, the author may only post his/her version
  provided acknowledgement is given to the original source of
  publication and a link is inserted to the published article on
  Springer's website. The link must be accompanied by the following
  text: ``The final publication is available at www.springerlink.com''.
  },
  blogurl = {https://ant.isi.edu/blog/?p=592},
  codeurl = {https://github.com/verisign/tlsa-survey}
}

copyright

An author may self-archive an author-created version of his/her article on his/her own website and or in his/her institutional repository. He/she may also deposit this version on his/her funder’s or funder’s designated repository at the funder’s request or as a result of a legal obligation, provided it is not made publicly available until 12 months after official publication. He/she may not use the publisher’s PDF version, which is posted on \urlwww.springerlink.com, for the purpose of self-archiving or deposit. Furthermore, the author may only post his/her version provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer’s website. The link must be accompanied by the following text: “The final publication is available at www.springerlink.com”.