Publisher URL: https://arxiv.org/abs/2109.08783
Publisher DOI: 10.1109/TNSM.2022.3195406
Title: From the beginning: key transitions in the first 15 years of DNSSEC
Language: English
Authors: Osterweil, Eric 
Tehrani, Pouyan Fotouhi 
Schmidt, Thomas C.  
Wählisch, Matthias 
Keywords: Cryptography; DNSSEC; Domain Name System; Information security; Internet; Internet measurement; key rollover; Monitoring; PKI; Rollover; Sea measurements; Security; Servers
Issue Date: 2022
Publisher: IEEE
Source: Preprint: https://arxiv.org/abs/2109.08783. Verlagsversion: https://doi.org/10.1109/TNSM.2022.3195406.
Journal or Series Name: IEEE transactions on network and service management 
Volume: 19
Issue: 4
Startpage: 5265
Endpage: 5283
Abstract: 
When the global rollout of the DNS Security Extensions (DNSSEC) began in 2005, it started a first-of-its-kind trial: increasing complexity of a core Internet protocol in favor of better security for the overall Internet. The necessary cryptographic key management is made particularly challenging by DNS' loosely-federated delegation substrate and unprecedented cryptographic scale. Though fundamental for current and future operational success, our community lacks a clear notion of how to empirically evaluate the process of securely changing (or transitioning) keys. In this paper, we propose two building blocks to fundamentally understand and assess key transitions. First, the anatomy of key transitions: measurable and well-defined properties of key changes; and second a novel classification model based on this anatomy to describe key transitions practices in abstract terms. Our anatomy enables the evaluation of cryptographic keys' life cycles in general, and comparison of operational practices with prescribed key management processes, e.g., RFC key rollover guidelines. The fine-grained transition anatomy is then abstracted through our classification model to characterize transitions in abstract terms which rather describe a transition's behavior than its specific features. The applicability and utility of our proposed transition anatomy and transition classes are exemplified for the global DNSSEC deployment. Specifically, we use measurements from the first 15 years of the DNSSEC rollout to detect and measure which key rollover/transitions have been used, to what degree, and what their rates of errors and warnings have been. Our results show measurable gaps between prescribed key management processes and key transitions in the wild. We also find evidence that such noncompliant transitions are inevitable in the wild.
URI: http://hdl.handle.net/20.500.12738/12389
ISSN: 1932-4537
Review status: This version was peer reviewed (peer review)
Institute: Department Informatik 
Fakultät Technik und Informatik 
Type: Article
Appears in Collections:Publications without full text

Show full item record

Page view(s)

186
checked on Dec 26, 2024

Google ScholarTM

Check

HAW Katalog

Check

Add Files to Item

Note about this record


This item is licensed under a Creative Commons License Creative Commons