Summary

Low adoption and high misconfiguration rates continue to blunt the security benefits of DNSSEC. In this work, we aim to tackle the post-deployment challenges of DNSSEC by offering administrators clear, actionable guidance for resolving configuration errors. Our approach first utilizes the DNSViz API to extract detailed error analyses, which are then processed by our in-house tool, DFixer, to generate precise remediation instructions in an iterative process. To ensure the reliability of these instructions, we reproduce the identified errors within our controlled environment using another internal tool, ZReplicator, and validate the fixes proposed by DFixer.

Details on how we built DFixer and ZReplicator along with their evaluation and limitations can be found in our paper linked here.

About DNSViz

DNSViz is a tool commonly used by DNS administrators (also by curious users) for visualizing the status of a DNS zone and its DNSSEC configuration. It pinpoints errors and warnings using a comprehensive set of error codes according to the standards.

Repository

Both ZReplicator and DFixer are open-source. If you want to contribute, please follow the instructions outlined here.