Measuring DANE TLSA Deployment. Zhu, L., Wessels, D., Mankin, A., & Heidemann, J. In Proceedings of the 7thIEEE International Workshop on Traffic Monitoring and Analysis, pages 219–232, Barcelona, Spain, April, 2015. Springer.
Measuring DANE TLSA Deployment [link]Paper  doi  abstract   bibtex   
The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations—risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in ˘rl.com and ˘rl.net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7–13% of TLSA records are invalid. We find 33% of TLSA responses are larger than 1500 Bytes and get IP fragmented.
@InProceedings{Zhu15a,
	author = 	"Liang Zhu and Duane Wessels and Allison
 Mankin and John Heidemann",
	title = "Measuring {DANE} {TLSA} Deployment",
	booktitle = 	"Proceedings of the " # "7th" # " IEEE International Workshop on Traffic Monitoring and Analysis",
	year = 		2015,
	sortdate = 		"2015-04-01",
	project = "ant, tdns",
	jsubject = "dns",
	pages = 	"219--232",
	month = 	apr,
	address = 	"Barcelona, Spain",
	publisher = 	"Springer",
	jlocation = 	"johnh: pafile",
	keywords = 	"DANE TLSA, DNS, PKI",
	url =	"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu15a.pdf",
	doi = 	"10.1007/978-3-319-17172-2_15",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "Springer",
	copyrightterms = "An author may self-archive an author-created version of his/her article on his/her own website and or in his/her institutional repository. He/she may also deposit this version on his/her funder's or funder's designated repository at the funder's request or as a result of a legal obligation, provided it is not made publicly available until 12 months after official publication. He/she may not use the publisher's PDF version, which is posted on \url{www.springerlink.com}, for the purpose of self-archiving or deposit. Furthermore, the author may only post his/her version provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: ``The final publication is available at www.springerlink.com''. " ,
	blogurl = 	"https://ant.isi.edu/blog/?p=592",
        codeurl = "https://github.com/verisign/tlsa-survey",
	abstract = "The DANE (DNS-based Authentication of Named Entities) framework uses
DNSSEC to provide a source of trust, and with TLSA it can serve as a
root of trust for TLS certificates.  This serves to complement
traditional certificate authentication methods, which is important
given the risks inherent in trusting hundreds of organizations---risks
already demonstrated with multiple compromises.  The TLSA protocol was
published in 2012, and this paper presents the first systematic study
of its deployment.  We studied TLSA usage, developing a tool that
actively probes all signed zones in \url{.com} and \url{.net} for TLSA
records.  We find the TLSA use is early:  in our latest measurement,
of the 485k signed zones, we find only 997 TLSA names.  We
characterize how it is being used so far, and find that around 7--13\%
of TLSA records are invalid.  We find 33\% of TLSA responses are
larger than 1500 Bytes and get IP fragmented.",
}
Downloads: 0
About
Documentation
Keywords
Search
Users
Terms and Conditions of Use
Privacy Policy
Sitemap
© BibBase.org 2021