Economic incentives on DNSSEC deployment: time to move from quantity to quality

Tho Le, Roland Van Rijswijk-Deij, Luca Allodi, Nicola Zannone

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

1 Citation (Scopus)

Abstract

The security extensions to the DNS (DNSSEC) currently cover approximately 3% of all domains worldwide. In response to the low deployment of DNSSEC, a few top-level domains started offering 'per-domain' economic incentives to encourage adoption of the protocol by offering a yearly discount on each signed domain. However, it remains unclear whether these incentives are well-balanced and foster the overall security of the infrastructure as well as its deployment at scale. In this paper we argue that, in the presence of fixed costs of deployment, misaligned 'per-domain' incentives may have the collateral effect of encouraging large operators to massively deploy unsecure implementations of DNSSEC, whereas smaller operators, for which the effect of the economic incentive is negligible, may not significantly benefit from it. To investigate this, we study the security of DNSSEC deployment at scale, particularly in TLDs that offer economic incentives. We find that the security of DNSSEC implementations in the wild poorly reflects standard recommendations, particularly for tasks that cannot be solved by triggering a flag in the DNS software service (e.g. key rollover). Further, we find that, on average, large operators deploy weak DNSSEC security more frequently than small DNSSEC operators, suggesting that current incentives are ineffective in promoting a secure adoption and in deterring insecure implementations. We conclude the paper with actionable recommendations for TLD registry operators to improve the alignment of economic incentives with secure DNSSEC requirements.

LanguageEnglish
Title of host publicationIEEE/IFIP Network Operations and Management Symposium
Subtitle of host publicationCognitive Management in a Cyber World, NOMS 2018
Place of PublicationBrussels
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages1-9
Number of pages9
ISBN (Electronic)9781538634165
DOIs
StatePublished - 6 Jul 2018
Event2018 IEEE/IFIP Network Operations and Management Symposium, NOMS 2018 - Taipei, Taiwan
Duration: 23 Apr 201827 Apr 2018

Conference

Conference2018 IEEE/IFIP Network Operations and Management Symposium, NOMS 2018
CountryTaiwan
CityTaipei
Period23/04/1827/04/18

Fingerprint

Incentives
Economics
Operator
Recommendations
Discount
Economic incentives
Signed
Alignment
Infrastructure
Costs
Cover
Software
Requirements

Keywords

  • DNS
  • DNSSEC
  • Economic incentives
  • Measurement
  • Network security

Cite this

Le, T., Van Rijswijk-Deij, R., Allodi, L., & Zannone, N. (2018). Economic incentives on DNSSEC deployment: time to move from quantity to quality. In IEEE/IFIP Network Operations and Management Symposium: Cognitive Management in a Cyber World, NOMS 2018 (pp. 1-9). Brussels: Institute of Electrical and Electronics Engineers (IEEE). DOI: 10.1109/NOMS.2018.8406223
Le, Tho ; Van Rijswijk-Deij, Roland ; Allodi, Luca ; Zannone, Nicola. / Economic incentives on DNSSEC deployment : time to move from quantity to quality. IEEE/IFIP Network Operations and Management Symposium: Cognitive Management in a Cyber World, NOMS 2018. Brussels : Institute of Electrical and Electronics Engineers (IEEE), 2018. pp. 1-9
@inproceedings{2d065f9ea85b46d68be683e74dfa8bcb,
title = "Economic incentives on DNSSEC deployment: time to move from quantity to quality",
abstract = "The security extensions to the DNS (DNSSEC) currently cover approximately 3{\%} of all domains worldwide. In response to the low deployment of DNSSEC, a few top-level domains started offering 'per-domain' economic incentives to encourage adoption of the protocol by offering a yearly discount on each signed domain. However, it remains unclear whether these incentives are well-balanced and foster the overall security of the infrastructure as well as its deployment at scale. In this paper we argue that, in the presence of fixed costs of deployment, misaligned 'per-domain' incentives may have the collateral effect of encouraging large operators to massively deploy unsecure implementations of DNSSEC, whereas smaller operators, for which the effect of the economic incentive is negligible, may not significantly benefit from it. To investigate this, we study the security of DNSSEC deployment at scale, particularly in TLDs that offer economic incentives. We find that the security of DNSSEC implementations in the wild poorly reflects standard recommendations, particularly for tasks that cannot be solved by triggering a flag in the DNS software service (e.g. key rollover). Further, we find that, on average, large operators deploy weak DNSSEC security more frequently than small DNSSEC operators, suggesting that current incentives are ineffective in promoting a secure adoption and in deterring insecure implementations. We conclude the paper with actionable recommendations for TLD registry operators to improve the alignment of economic incentives with secure DNSSEC requirements.",
keywords = "DNS, DNSSEC, Economic incentives, Measurement, Network security",
author = "Tho Le and {Van Rijswijk-Deij}, Roland and Luca Allodi and Nicola Zannone",
year = "2018",
month = "7",
day = "6",
doi = "10.1109/NOMS.2018.8406223",
language = "English",
pages = "1--9",
booktitle = "IEEE/IFIP Network Operations and Management Symposium",
publisher = "Institute of Electrical and Electronics Engineers (IEEE)",
address = "United States",

}

Le, T, Van Rijswijk-Deij, R, Allodi, L & Zannone, N 2018, Economic incentives on DNSSEC deployment: time to move from quantity to quality. in IEEE/IFIP Network Operations and Management Symposium: Cognitive Management in a Cyber World, NOMS 2018. Institute of Electrical and Electronics Engineers (IEEE), Brussels, pp. 1-9, 2018 IEEE/IFIP Network Operations and Management Symposium, NOMS 2018, Taipei, Taiwan, 23/04/18. DOI: 10.1109/NOMS.2018.8406223

Economic incentives on DNSSEC deployment : time to move from quantity to quality. / Le, Tho; Van Rijswijk-Deij, Roland; Allodi, Luca; Zannone, Nicola.

IEEE/IFIP Network Operations and Management Symposium: Cognitive Management in a Cyber World, NOMS 2018. Brussels : Institute of Electrical and Electronics Engineers (IEEE), 2018. p. 1-9.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Economic incentives on DNSSEC deployment

T2 - time to move from quantity to quality

AU - Le,Tho

AU - Van Rijswijk-Deij,Roland

AU - Allodi,Luca

AU - Zannone,Nicola

PY - 2018/7/6

Y1 - 2018/7/6

N2 - The security extensions to the DNS (DNSSEC) currently cover approximately 3% of all domains worldwide. In response to the low deployment of DNSSEC, a few top-level domains started offering 'per-domain' economic incentives to encourage adoption of the protocol by offering a yearly discount on each signed domain. However, it remains unclear whether these incentives are well-balanced and foster the overall security of the infrastructure as well as its deployment at scale. In this paper we argue that, in the presence of fixed costs of deployment, misaligned 'per-domain' incentives may have the collateral effect of encouraging large operators to massively deploy unsecure implementations of DNSSEC, whereas smaller operators, for which the effect of the economic incentive is negligible, may not significantly benefit from it. To investigate this, we study the security of DNSSEC deployment at scale, particularly in TLDs that offer economic incentives. We find that the security of DNSSEC implementations in the wild poorly reflects standard recommendations, particularly for tasks that cannot be solved by triggering a flag in the DNS software service (e.g. key rollover). Further, we find that, on average, large operators deploy weak DNSSEC security more frequently than small DNSSEC operators, suggesting that current incentives are ineffective in promoting a secure adoption and in deterring insecure implementations. We conclude the paper with actionable recommendations for TLD registry operators to improve the alignment of economic incentives with secure DNSSEC requirements.

AB - The security extensions to the DNS (DNSSEC) currently cover approximately 3% of all domains worldwide. In response to the low deployment of DNSSEC, a few top-level domains started offering 'per-domain' economic incentives to encourage adoption of the protocol by offering a yearly discount on each signed domain. However, it remains unclear whether these incentives are well-balanced and foster the overall security of the infrastructure as well as its deployment at scale. In this paper we argue that, in the presence of fixed costs of deployment, misaligned 'per-domain' incentives may have the collateral effect of encouraging large operators to massively deploy unsecure implementations of DNSSEC, whereas smaller operators, for which the effect of the economic incentive is negligible, may not significantly benefit from it. To investigate this, we study the security of DNSSEC deployment at scale, particularly in TLDs that offer economic incentives. We find that the security of DNSSEC implementations in the wild poorly reflects standard recommendations, particularly for tasks that cannot be solved by triggering a flag in the DNS software service (e.g. key rollover). Further, we find that, on average, large operators deploy weak DNSSEC security more frequently than small DNSSEC operators, suggesting that current incentives are ineffective in promoting a secure adoption and in deterring insecure implementations. We conclude the paper with actionable recommendations for TLD registry operators to improve the alignment of economic incentives with secure DNSSEC requirements.

KW - DNS

KW - DNSSEC

KW - Economic incentives

KW - Measurement

KW - Network security

UR - http://www.scopus.com/inward/record.url?scp=85050657757&partnerID=8YFLogxK

U2 - 10.1109/NOMS.2018.8406223

DO - 10.1109/NOMS.2018.8406223

M3 - Conference contribution

SP - 1

EP - 9

BT - IEEE/IFIP Network Operations and Management Symposium

PB - Institute of Electrical and Electronics Engineers (IEEE)

CY - Brussels

ER -

Le T, Van Rijswijk-Deij R, Allodi L, Zannone N. Economic incentives on DNSSEC deployment: time to move from quantity to quality. In IEEE/IFIP Network Operations and Management Symposium: Cognitive Management in a Cyber World, NOMS 2018. Brussels: Institute of Electrical and Electronics Engineers (IEEE). 2018. p. 1-9. Available from, DOI: 10.1109/NOMS.2018.8406223