Abstract by Jonathan Demke
DNS NSEC Deployment
3M - The DNS is an important component to the Internet infrastructure. The DNS maps names (such as websites) to their corresponding IP addresses. When the DNS receives a query for a name that doesn’t exist, it responds with a negative answer that contains an NSEC Record, which proves the name doesn’t exist. There are different implementations of providing a negative answer, NSEC, NSEC3, NSEC3 White Lies, and NSEC Black Lies. The purpose of this study is to analyze signed top level domain zones for their NSEC record types and implementations to learn more about the practices utilized by the organizations deploying DNSSEC. We hope to better understand the purpose a zone uses a particular NSEC record for resolving negative answers. This study will allow people to see the measurements of DNS NSEC security employed by different zones and hopefully encourage better security and privacy in the DNS to make the internet safer for all its users.