Issue No. 05 - September/October (2011 vol. 8)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.10
Hao Yang , IBM T. J. Watson Research Center, Hawthorne
Eric Osterweil , University of California Los Angeles, Los Angeles
Dan Massey , Colorado State University, Ft Collins
Songwu Lu , University of California Los Angeles, Los Angeles
Lixia Zhang , University of California Los Angeles, Los Angeles
The DNS Security Extensions (DNSSEC) are among the first attempts to deploy cryptographic protections in an Internet-scale operational system. DNSSEC applies well-established public key cryptography to ensure data integrity and origin authenticity in the DNS system. While the cryptographic design of DNSSEC is sound and seemingly simple, its development has taken the IETF over a decade and several protocol revisions, and even today its deployment is still in the early stage of rolling out. In this paper, we provide the first systematic examination of the design, deployment, and operational challenges encountered by DNSSEC over the years. Our study reveals a fundamental gap between cryptographic designs and operational Internet systems. To be deployed in the global Internet, a cryptographic protocol must possess several critical properties including scalability, flexibility, incremental deployability, and ability to function in face of imperfect operations. We believe that the insights gained from this study can offer valuable inputs to future cryptographic designs for other Internet-scale systems.
DNSSEC, PKI hierarchy, incremental deployment, key rollover, key revocation, heterogeneous operations, distributed monitoring.
Hao Yang, Eric Osterweil, Dan Massey, Songwu Lu, Lixia Zhang, "Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC", IEEE Transactions on Dependable and Secure Computing, vol. 8, no. , pp. 656-669, September/October 2011, doi:10.1109/TDSC.2010.10