John Heidemann

Measuring DANE TLSA Deployment

TitleMeasuring DANE TLSA Deployment
Publication TypeConference Paper
Year of Publication2015
AuthorsL. Zhu, D. Wessels, A. Mankin, and J. Heidemann
Date Publishedapr
Conference LocationBarcelona, Spain

The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations–-risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in \ and \ for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7–13% of TLSA records are invalid. We find 33% of TLSA responses are larger than 1500 Bytes and get IP fragmented.