Levin Wins Distinguished Paper Award at USENIX Security Symposium

Aug 16, 2017

Dave Levin, an assistant professor of computer science with an appointment in the Maryland Cybersecurity Center (MC2), has received a Distinguished Paper Award at the 2017 USENIX Security Symposium.

The annual symposium—held this year in Vancouver, Canada—brings together researchers, practitioners, system administrators and programmers, and others interested in the latest advances in the security and privacy of computer systems and networks.

A Longitudinal, End-to-End View of the DNSSEC Ecosystem” performs the first large-scale, longitudinal measurement study into how well the Domain Name System’s Security Extensions (DNSSEC) public key infrastructure (PKI) is managed.

DNS is critical to the operation of the internet because it is what converts between names that users can remember (like "umd.edu") to addresses that computers need to communicate (like "128.8.127.9"). DNS’s continued operation is necessary to make the internet usable, and its security is necessary to ensure we are communicating with whom we expect to be, Levin says.

The paper is co-authored by Levin, who collaborated with researchers from Northeastern University, Duke University, the Technical University of Berlin and University of Twente in the Netherlands.

DNSSEC allow clients and resolvers to verify that DNS responses have not been forged or modified in-flight. It uses a public key infrastructure (PKI) to achieve this integrity, without which users can be subject to a wide range of attacks. But DNSSEC can operate only if each of the principals in its PKI properly performs its management tasks.

The research team’s investigation revealed a pervasive mismanagement of the DNSSEC infrastructure. For example, they found that 31 percent of domains that support DNSSEC fail to publish all relevant records required for validation; 39 percent of the domains use insufficiently strong key-signing keys; and although 82 percent of resolvers in their study request DNSSEC records, only 12 percent actually attempt to validate them.

These results highlight systemic problems, Levin says, which motivate improved automation and auditing of DNSSEC management.