Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

One key to sign them all considered vulnerable: Evaluation of DNSSEC in the internet

: Shulman, Haya; Waidner, Michael

Volltext (PDF; )

USENIX Association:
14th USENIX Symposium on Networked Systems Design and Implementation 2017. Conference Proceedings : Boston, MA, USA, March 27-29, 2017
Berkeley, CA, USA: USENIX, 2017
ISBN: 978-1-931971-37-9
Symposium on Networked Systems Design and Implementation (NSDI) <14, 2017, Boston/Mass.>
Konferenzbeitrag, Elektronische Publikation
Fraunhofer SIT ()

We perform the first Internet study of the cryptographic security of DNSSEC-signed domains. To that end, we collected 2:1M DNSSEC keys for popular signed domains out of these 1:9M are RSA keys. We analyse the RSA keys and show that a large fraction of signed domains are using vulnerable keys: 35% are signed with RSA keys that share their moduli with some other domain and 66% use keys that are too short (1024 bit or less) or keys which modulus has a GCD > 1 with the modulus of some other domain. As we show, to a large extent the vulnerabilities are due to poor key generation practices, but also due to potential faulty hardware or software bugs. The DNSSEC keys collection and analysis is performed on a daily basis with the DNSSEC Keys Validation Engine which we developed. The statistics as well as the DNSSEC Keys Validation Engine are made available online, as a service for Internet users.