%0 Conference Proceedings
%T Measuring DANE TLSA Deployment
%+ University of Southern California (USC)
%+ Verisign Labs [San Francisco]
%A Zhu, Liang
%A Wessels, Duane
%A Mankin, Allison
%A Heidemann, John
%Z Part 5: New Protocols
%< avec comité de lecture
%( Lecture Notes in Computer Science
%B 7th Workshop on Traffic Monitoring and Analysis (TMA)
%C Barcelona, Spain
%Y Moritz Steiner
%Y Pere Barlet-Ros
%Y Olivier Bonaventure
%3 Traffic Monitoring and Analysis
%V LNCS-9053
%P 219-232
%8 2015-04-21
%D 2015
%R 10.1007/978-3-319-17172-2_15
%Z Computer Science [cs]
%Z Computer Science [cs]/Networking and Internet Architecture [cs.NI]Conference papers
%X The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations—risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in .com and .net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7–13 % of TLSA records are invalid. We find 33 % of TLSA responses are larger than 1500 Bytes and will very likely be fragmented.
%G English
%Z TC 6
%Z WG 6.6
%2 https://hal.science/hal-01411197/document
%2 https://hal.science/hal-01411197/file/336978_1_En_15_Chapter.pdf
%L hal-01411197
%U https://hal.science/hal-01411197
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-TC
%~ IFIP-TC6
%~ IFIP-TMA
%~ IFIP-WG6-6
%~ IFIP-LNCS-9053