{"id":592,"date":"2015-02-09T15:36:51","date_gmt":"2015-02-09T23:36:51","guid":{"rendered":"http:\/\/ant.isi.edu\/blog\/?p=592"},"modified":"2025-08-26T16:10:59","modified_gmt":"2025-08-26T23:10:59","slug":"new-workshop-paper-measuring-dane-tlsa-deployment-in-tma-2015","status":"publish","type":"post","link":"https:\/\/ant.isi.edu\/blog\/?p=592","title":{"rendered":"new workshop paper \u201cMeasuring DANE TLSA Deployment\u201d in TMA 2015"},"content":{"rendered":"<p>The paper \u201c<a href=\"https:\/\/ant.isi.edu\/~johnh\/PAPERS\/Zhu15a.html\">Measuring DANE TLSA Deployment<\/a>\u201d will appear at the Traffic Monitoring and Analysis Workshop in April 2015 in Barcelona, Spain (previously available at http:\/\/www.isi.edu\/~liangzhu\/papers\/dane_tlsa.pdf).<\/p>\n<p>From the abstract:<a href=\"http:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2014\/10\/vinfo_over_time.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-548 size-medium alignright\" src=\"http:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2014\/10\/vinfo_over_time-300x180.png\" alt=\"\" width=\"300\" height=\"180\" srcset=\"https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2014\/10\/vinfo_over_time-300x180.png 300w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2014\/10\/vinfo_over_time-1024x614.png 1024w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2014\/10\/vinfo_over_time-768x461.png 768w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2014\/10\/vinfo_over_time-1536x922.png 1536w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2014\/10\/vinfo_over_time.png 2000w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<blockquote><p>The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust for TLS certificates. This serves to complement traditional certificate authentication methods, which is important given the risks inherent in trusting hundreds of organizations\u2014risks already demonstrated with multiple compromises. The TLSA protocol was published in 2012, and this paper presents the first systematic study of its deployment. We studied TLSA usage, developing a tool that actively probes all signed zones in .com and .net for TLSA records. We find the TLSA use is early: in our latest measurement, of the 485k signed zones, we find only 997 TLSA names. We characterize how it is being used so far, and find that around 7\u201313% of TLSA records are invalid. We find 33% of TLSA responses are larger than 1500 Bytes and will very likely be fragmented.<\/p><\/blockquote>\n<p>The work in the paper is by Liang Zhu (USC\/ISI), Duane Wessels and Allison Mankin (both of Verisign Labs), and John Heidemann (USC\/ISI).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The paper \u201cMeasuring DANE TLSA Deployment\u201d will appear at the Traffic Monitoring and Analysis Workshop in April 2015 in Barcelona, Spain (previously available at http:\/\/www.isi.edu\/~liangzhu\/papers\/dane_tlsa.pdf). From the abstract: The DANE (DNS-based Authentication of Named Entities) framework uses DNSSEC to provide a source of trust, and with TLSA it can serve as a root of trust [&hellip;]<\/p>\n","protected":false},"author":620,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[284,282],"tags":[99,63,58,67,22,5,18,92,109,110,57,101,38],"class_list":["post-592","post","type-post","status-publish","format-standard","hentry","category-papers-publications","category-publications","tag-dane","tag-dns","tag-isi","tag-lacrend","tag-measurement-systems","tag-papers","tag-security","tag-tls","tag-tlsa","tag-trust","tag-usc","tag-verisign","tag-workshop"],"_links":{"self":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/users\/620"}],"replies":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=592"}],"version-history":[{"count":13,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/592\/revisions"}],"predecessor-version":[{"id":2273,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/592\/revisions\/2273"}],"wp:attachment":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=592"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}