Quantifying and Improving DNSSEC Availability

The Domain Name System (DNS) is a foundational component of today's Internet for mapping Internet names to addresses. With the DNS Security Extensions (DNSSEC) DNS responses can be cryptographically verified to prevent malicious tampering. The protocol complexity and administrative overhead associated with DNSSEC can significantly impact the potential for name resolution failure. We present metrics for assessing the quality of a DNSSEC deployment, based on its potential for resolution failure in the presence of DNSSEC misconfiguration. We introduce a metric to analyze the administrative complexity of a DNS configuration, which contributes to its failure potential. We then discuss a technique which uses soft anchoring to increase robustness in spite of misconfigurations. We analyze a representative set of production signed DNS zones and determine that 28% of the validation failures we encountered would be mitigated by the soft anchoring technique we propose.