DNSSEC misconfigurations in popular domains

DNSSEC was designed to protect the Domain Name System (DNS) against DNS cache poisoning and domain hijacking. When widely adopted, DNSSEC is expected to facilitate a multitude of future applications and systems, as well as security mechanisms, that would use the DNS for distribution of security tokens, such as, certificates, IP prefix authentication for routing security, anti-spam mechanisms. Multiple efforts are invested in adopting DNSSEC and in evaluating challenges towards its deployment. In this work we perform a study of errors and misconfigurations in signed domains. To that end, we develop a DNSSEC framework and a webpage for reporting the most up to date statistics and provide reports with vulnerabilities and misconfigurations. Our tool also supports retrieval of historical data and enables to perform long-term studies and observations of changes in the security landscape of DNS. We make our tool and the collected data available via an online webservice.