Wednesday 24 September 14:00- 14:30, Red room.Nick Sullivan CloudFlare This paper is available online (HTML, PDF). download slides (PDF) DNSSEC is a set of security extensions to DNS intended to provide a root of trust for DNS records. This paper is a summary of the state of the art in DNSSEC deployment and implementation on the Internet. We start with a description of Kaminsky's attack on DNS to motivate the need for trust in the DNS system. From here we describe some of the common arguments against DNSSEC including NSEC and NSEC3 walking and how DNSSEC can be an enabler for UDP reflection attacks. We then discuss useful extensions to DNSSEC, like DANE, and how these can be used to secure websites without trusting the certificate authority system. We also examine how far the effort has come in the decades since the technology was standardized, including adoption statistics and trends. Click here for more details about the conference.