Internet Archive Scholar

Measuring DANE TLSA Deployment [chapter]

Liang Zhu, Duane Wessels, Allison Mankin, John Heidemann
2015 Lecture Notes in Computer Science  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (1.1 MB)
https://web.archive.org/web/20170811190617/https://www.isi.edu/~johnh/PAPERS/Zhu15a.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL. The file type is application/pdf.

The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations-risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We
more » ... udied TLSA usage, developing a tool that actively probes all signed zones in .com and .net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7-13% of TLSA records are invalid. We find 33% of TLSA responses are larger than 1500 Bytes and will very likely be fragmented.
doi:10.1007/978-3-319-17172-2_15 fatcat:qbey6osfkraclb7qmjyglzoweu
Citation

Liang Zhu, Duane Wessels, Allison Mankin, John Heidemann. "Measuring DANE TLSA Deployment." Lecture Notes in Computer Science (2015) 219-232