Measuring DANE TLSA Deployment. Zhu, L., Wessels, D., Mankin, A., & Heidemann, J. Presentation at DNS-OARC Fall Workshop, October, 2014. ![Measuring DANE TLSA Deployment [pdf]](https://bibbase.org/img/filetypes/pdf.svg "pdf")
Paper abstract bibtex As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based Authentication of Named Entities (DANE) provides an alternative to traditional CA-based certificate authentication. The DANE TLSA protocol specification was published in 2012. It's generally unknown to the DNS community how widely DANE TLSA has been deployed and how TLSA records are used. In this talk, we present a survey of current deployment of DANE TLSA. We developed PryDane, a tool for actively probing names possibly having TLSA records validating those records with the server certificates. Based on the data we collected, we conclude that DANE TLSA is not widely deployed at this time. Our probing data shows the most common (more than 80%) usage of TLSA record is: domain-issued cert matching full cert with SHA-256. Our validation results show there are consistently about 7%–10% of DANE-enabled names having invalid TLSA records. We explored the reasons for these mismatches, such as wrong certs and incorrect parameters in TLSA records.
@Misc{Zhu14c,
author = "Liang Zhu and Duane Wessels and Allison
Mankin and John Heidemann",
title = "Measuring {DANE} {TLSA} Deployment",
howpublished = "Presentation at DNS-OARC Fall Workshop",
address = "Los Angeles, California, USA",
month = oct,
year = 2014,
sortdate = "2014-10-01",
jlocation = "johnh: pafile",
keywords = "DANE TLSA, DNS, PKI",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14c.pdf",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14c.pdf",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "authors",
project = "ant, lacrend, tdns",
blogurl = "https://ant.isi.edu/blog/?p=546",
abstract = "As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based
Authentication of Named Entities (DANE) provides an alternative to
traditional CA-based certificate authentication. The DANE TLSA
protocol specification was published in 2012. It's generally unknown
to the DNS community how widely DANE TLSA has been deployed and how
TLSA records are used. In this talk, we present a survey of current
deployment of DANE TLSA. We developed PryDane, a tool for actively
probing names possibly having TLSA records validating those records
with the server certificates. Based on the data we collected, we
conclude that DANE TLSA is not widely deployed at this time. Our
probing data shows the most common (more than 80\%) usage of TLSA record is:
domain-issued cert matching full cert with SHA-256. Our validation
results show there are consistently about 7\%--10\% of DANE-enabled
names having invalid TLSA records. We explored the reasons for
these mismatches, such as wrong certs and incorrect parameters in
TLSA records.",
}
Downloads: 0
{"_id":"usWvBnnsRanKrQqqM","bibbaseid":"zhu-wessels-mankin-heidemann-measuringdanetlsadeployment-2014","author_short":["Zhu, L.","Wessels, D.","Mankin, A.","Heidemann, J."],"bibdata":{"bibtype":"misc","type":"misc","author":[{"firstnames":["Liang"],"propositions":[],"lastnames":["Zhu"],"suffixes":[]},{"firstnames":["Duane"],"propositions":[],"lastnames":["Wessels"],"suffixes":[]},{"firstnames":["Allison"],"propositions":[],"lastnames":["Mankin"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Measuring DANE TLSA Deployment","howpublished":"Presentation at DNS-OARC Fall Workshop","address":"Los Angeles, California, USA","month":"October","year":"2014","sortdate":"2014-10-01","jlocation":"johnh: pafile","keywords":"DANE TLSA, DNS, PKI","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14c.pdf","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14c.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","project":"ant, lacrend, tdns","blogurl":"https://ant.isi.edu/blog/?p=546","abstract":"As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based Authentication of Named Entities (DANE) provides an alternative to traditional CA-based certificate authentication. The DANE TLSA protocol specification was published in 2012. It's generally unknown to the DNS community how widely DANE TLSA has been deployed and how TLSA records are used. In this talk, we present a survey of current deployment of DANE TLSA. We developed PryDane, a tool for actively probing names possibly having TLSA records validating those records with the server certificates. Based on the data we collected, we conclude that DANE TLSA is not widely deployed at this time. Our probing data shows the most common (more than 80%) usage of TLSA record is: domain-issued cert matching full cert with SHA-256. Our validation results show there are consistently about 7%–10% of DANE-enabled names having invalid TLSA records. We explored the reasons for these mismatches, such as wrong certs and incorrect parameters in TLSA records.","bibtex":"@Misc{Zhu14c,\n\tauthor = \t\"Liang Zhu and Duane Wessels and Allison\n Mankin and John Heidemann\",\n\ttitle = \"Measuring {DANE} {TLSA} Deployment\",\n\thowpublished = \"Presentation at DNS-OARC Fall Workshop\",\n\taddress = \"Los Angeles, California, USA\",\n\tmonth = \toct,\n\tyear = \t2014,\n\tsortdate = \t\"2014-10-01\", \n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"DANE TLSA, DNS, PKI\",\n\turl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14c.pdf\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14c.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tproject = \"ant, lacrend, tdns\",\n blogurl = \"https://ant.isi.edu/blog/?p=546\",\n\tabstract = \"As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based\nAuthentication of Named Entities (DANE) provides an alternative to\ntraditional CA-based certificate authentication. The DANE TLSA\nprotocol specification was published in 2012. It's generally unknown\nto the DNS community how widely DANE TLSA has been deployed and how\nTLSA records are used. In this talk, we present a survey of current\ndeployment of DANE TLSA. We developed PryDane, a tool for actively\nprobing names possibly having TLSA records validating those records\nwith the server certificates. Based on the data we collected, we\nconclude that DANE TLSA is not widely deployed at this time. Our\nprobing data shows the most common (more than 80\\%) usage of TLSA record is:\ndomain-issued cert matching full cert with SHA-256. Our validation\nresults show there are consistently about 7\\%--10\\% of DANE-enabled\nnames having invalid TLSA records. We explored the reasons for\nthese mismatches, such as wrong certs and incorrect parameters in\nTLSA records.\",\n}\n\n\n","author_short":["Zhu, L.","Wessels, D.","Mankin, A.","Heidemann, J."],"bibbaseid":"zhu-wessels-mankin-heidemann-measuringdanetlsadeployment-2014","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu14c.pdf"},"keyword":["DANE TLSA","DNS","PKI"],"metadata":{"authorlinks":{}}},"bibtype":"misc","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["dane tlsa","dns","pki"],"search_terms":["measuring","dane","tlsa","deployment","zhu","wessels","mankin","heidemann"],"title":"Measuring DANE TLSA Deployment","year":2014}