Quantifying and Improving DNSSEC Availability
The Domain Name System (DNS) is a foundational component of today's Internet for mapping Internet names to addresses. With the DNS Security Extensions (DNSSEC) DNS responses can be cryptographically verified to prevent malicious tampering. The protocol complexity and administrative overhead associated with DNSSEC can significantly impact the potential for name resolution failure. The authors present metrics for assessing the quality of a DNSSEC deployment, based on its potential for resolution failure in the presence of DNSSEC misconfiguration. They introduce a metric to analyze the administrative complexity of a DNS configuration, which contributes to its failure potential. They, then discuss a technique which uses soft anchoring to increase robustness in spite of misconfigurations.