Measuring DANE TLSA Deployment - Traffic Monitoring and Analysis Access content directly
Conference Papers Year : 2015

Measuring DANE TLSA Deployment

Liang Zhu
  • Function : Author
  • PersonId : 995538
Duane Wessels
  • Function : Author
  • PersonId : 995539
Allison Mankin
  • Function : Author
  • PersonId : 995540


The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations—risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in .com and .net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7–13 % of TLSA records are invalid. We find 33 % of TLSA responses are larger than 1500 Bytes and will very likely be fragmented.
Fichier principal
Vignette du fichier
336978_1_En_15_Chapter.pdf (1.01 Mo) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-01411197 , version 1 (07-12-2016)





Liang Zhu, Duane Wessels, Allison Mankin, John Heidemann. Measuring DANE TLSA Deployment. 7th Workshop on Traffic Monitoring and Analysis (TMA), Apr 2015, Barcelona, Spain. pp.219-232, ⟨10.1007/978-3-319-17172-2_15⟩. ⟨hal-01411197⟩
87 View
222 Download



Gmail Facebook X LinkedIn More