Check-Repeat: A New Method of Measuring DNSSEC Validating Resolvers

As more and more authority DNS servers turn on DNS SECurity extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper, the authors present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries.

Provided by: Verisec AB Topic: Networking Date Added: Jan 2013 Format: PDF

Find By Topic