Check-Repeat: A new method of measuring DNSSEC validating resolvers

  • Yu Y
  • Wessels D
  • Larson M
 et al. 
  • 18


    Mendeley users who have this article in their library.
  • 0


    Citations of this article.


As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries.We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from.COM and.NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet. © 2013 IEEE.

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Yingdi Yu

  • Duane Wessels

  • Matt Larson

  • Lixia Zhang

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free