The DNS Security Extensions (DNSSEC) are among the first attempts to add cryptographic protection in large-scale operational systems. DNSSEC uses well-established public-key cryptography to authenticate DNS data. Despite its perceived need and seemingly simple cryptographic design, DNSSEC development took over a decade and several protocol revision cycles, and its deployment is barely visible on the horizon today. This talk identifies technical issues that were missed in the original DNSSEC design, the mismatch between the design and the reality, and unforeseen difficutlies in deploying cryptographic protections. Using DNSSEC as a showcase, this talk exemplifies the gap between cryptographic theory and its application to the operational Internet, and identifies directions to add to Internet effective cryptographic protections.
Lixia Zhang received her Ph.D in computer science from the Massachusetts Institute of Technology. She was a member of the research staff at the Xerox Palo Alto Research Center (XEROX PARC) before joining the faculty of UCLA's Computer Science Department in 1996. In the past she served as the vice chair of ACM SIGCOMM, Co-Chair of IEEE Communication Society Internet Technical Committee, and on the editorial board for the IEEE/ACM Transactions on Networking.Zhang is a fellow of both ACM and IEEE. She is currently serving on the Internet Architecture Board (IAB), and co-Chairs the Routing Research Group under IRTF.