{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T01:09:13Z","timestamp":1777338553446,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":58,"publisher":"ACM","funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2339378"],"award-info":[{"award-number":["CNS-2339378"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,9,8]]},"DOI":"10.1145\/3718958.3754351","type":"proceedings-article","created":{"date-parts":[[2025,8,27]],"date-time":"2025-08-27T16:54:11Z","timestamp":1756313651000},"page":"882-895","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Reliable and Decentralized Certificate Revocation via DNS: The Case for RevDNS"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4323-4080","authenticated-orcid":false,"given":"Taejoong","family":"Chung","sequence":"first","affiliation":[{"name":"Virginia Tech, Blacksburg, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4957-5131","authenticated-orcid":false,"given":"Dave","family":"Levin","sequence":"additional","affiliation":[{"name":"University of Maryland, Maryland, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-7636-6603","authenticated-orcid":false,"given":"Protick","family":"Bhowmick","sequence":"additional","affiliation":[{"name":"Virginia Tech, Blacksburg, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,8,27]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Ballot SC063v4: Make OCSP Optional Require CRLs and Incentivize Automation. https:\/\/cabforum.org\/2023\/07\/14\/ballot-sc063v4-make-ocsp-optional-require-crls-and-incentivize-automation\/."},{"key":"e_1_3_2_1_2_1","unstructured":"Use of DNSSEC Validation for World (XA). https:\/\/stats.labs.apnic.net\/dnssec\/XA."},{"key":"e_1_3_2_1_3_1","unstructured":"WebPKI and Digital Signature related M&A + Investment + Public Offerings. 2023. https:\/\/gist.github.com\/rmhrisk\/c0afbb7e444dab9cf76936e24d4b32e8."},{"key":"e_1_3_2_1_4_1","unstructured":"C. Arthur. DigiNotar SSL certificate hack amounts to cyberwar says expert. The Guardian. http:\/\/www.theguardian.com\/technology\/2011\/sep\/05\/diginotar-certificate-hack-cyberwar."},{"key":"e_1_3_2_1_5_1","volume-title":"OCSP systems at scale are complex","author":"Aas J.","year":"2024","unstructured":"J. Aas. OCSP systems at scale are complex. 2024. https:\/\/news.ycombinator.com\/item?id=41047832."},{"key":"e_1_3_2_1_6_1","volume-title":"IETF","author":"Arends R.","year":"2005","unstructured":"R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033, IETF, 2005. http:\/\/www.ietf.org\/rfc\/rfc4033.txt."},{"key":"e_1_3_2_1_7_1","volume-title":"IETF","author":"Arends R.","year":"2005","unstructured":"R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS Security Extensions. RFC 4035, IETF, 2005. http:\/\/www.ietf.org\/rfc\/rfc4035.txt."},{"key":"e_1_3_2_1_8_1","volume-title":"IETF","author":"Arends R.","year":"2005","unstructured":"R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. RFC 4034, IETF, 2005. http:\/\/www.ietf.org\/rfc\/rfc4034.txt."},{"key":"e_1_3_2_1_9_1","unstructured":"APNIC DNSSEC validation rate. https:\/\/stats.labs.apnic.net\/dnssec."},{"key":"e_1_3_2_1_10_1","unstructured":"Announcing Six Day and IP Address Certificate Options in 2025. https:\/\/letsencrypt.org\/2025\/01\/16\/6-day-and-ip-certs\/."},{"key":"e_1_3_2_1_11_1","unstructured":"Announcing Universal DNSSEC: Secure DNS for Every Domain. https:\/\/blog.cloudflare.com\/introducing-universal-dnssec."},{"key":"e_1_3_2_1_12_1","volume-title":"IMC","author":"Boettger T.","year":"2019","unstructured":"T. Boettger, F. Cuadrado, G. Antichi, E. L. Fernandes, G. Tyson, I. Castro, and S. Uhlig. An Empirical Study of the Cost of DNS-over-HTTPS. IMC, 2019."},{"key":"e_1_3_2_1_13_1","unstructured":"Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates CA\/Browser Forum. https:\/\/cabforum.org\/wp-content\/uploads\/CA-Browser-Forum-BR-2.0.2.pdf."},{"key":"e_1_3_2_1_14_1","volume-title":"IETF","author":"Cooper D.","year":"2008","unstructured":"D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, IETF, 2008. http:\/\/www.ietf.org\/rfc\/rfc5280.txt."},{"key":"e_1_3_2_1_15_1","unstructured":"K. Christofferson. Let's Encrypt improves how we manage OCSP responses. https:\/\/letsencrypt.org\/2022\/12\/15\/ocspcaching."},{"key":"e_1_3_2_1_16_1","volume-title":"IMC","author":"Chung T.","year":"2018","unstructured":"T. Chung, J. Lok, B. Chandrasekaran, D. Choffnes, D. Levin, B. Maggs, A. Mislove, J. Rula, N. Sullivan, and C. Wilson. Is the Web Ready for OCSP Must Staple? IMC, 2018."},{"key":"e_1_3_2_1_17_1","volume-title":"End-to-End View of the DNSSEC Ecosystem. USENIX Security","author":"Chung T.","year":"2017","unstructured":"T. Chung, R. van Rijswijk-Deij, B. Chandrasekaran, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. USENIX Security, 2017."},{"key":"e_1_3_2_1_18_1","volume-title":"IMC","author":"Chung T.","year":"2017","unstructured":"T. Chung, R. van Rijswijk-Deij, D. Choffnes, A. Mislove, C. Wilson, D. Levin, and B. M. Maggs. Understanding the Role of Registrars in DNSSEC Deployment. IMC, 2017."},{"key":"e_1_3_2_1_19_1","volume-title":"EuroSec","author":"Chariton A. A.","year":"2016","unstructured":"A. A. Chariton, E. Degkleri, P. Papadopoulos, P. Ilia, and E. P. Markatos. DCSP: Performant Certificate Revocation a DNS-based approach. EuroSec, 2016."},{"key":"e_1_3_2_1_20_1","unstructured":"CA\/Revocation Checking in Firefox. https:\/\/wiki.mozilla.org\/CA\/Revocation_Checking_in_Firefox."},{"key":"e_1_3_2_1_21_1","unstructured":"CAIDA ASOrganizations Dataset. http:\/\/www.caida.org\/data\/as-organizations\/."},{"key":"e_1_3_2_1_22_1","unstructured":"Censys. https:\/\/censys.io\/."},{"key":"e_1_3_2_1_23_1","unstructured":"Cloudflare 1.1.1.1 (DNS Resolver). https:\/\/developers.cloudflare.com\/1.1.1.1\/faq\/."},{"key":"e_1_3_2_1_24_1","unstructured":"Common CA Database. https:\/\/www.ccadb.org\/."},{"key":"e_1_3_2_1_25_1","volume-title":"TMA","author":"Deccio C.","year":"2025","unstructured":"C. Deccio and B. Tessem. On Aggressive Negative Caching in DNS Resolvers. TMA, 2025."},{"key":"e_1_3_2_1_26_1","volume-title":"Morgan Kaufmann","author":"Dubuisson O.","year":"2001","unstructured":"O. Dubuisson. ASN.1 communication between heterogeneous systems. Morgan Kaufmann, 2001."},{"key":"e_1_3_2_1_27_1","unstructured":"DNS flag day 2020. https:\/\/www.dnsflagday.net\/2020\/."},{"key":"e_1_3_2_1_28_1","unstructured":"DNSSECDeploymentStatistics. https:\/\/stats.dnssec-tools.org\/."},{"key":"e_1_3_2_1_29_1","unstructured":"Default OneCRL Data. https:\/\/firefox.settings.services.mozilla.com\/v1\/buckets\/security-state\/collections\/onecrl\/records."},{"key":"e_1_3_2_1_30_1","volume-title":"IETF","author":"Eastlake D.","year":"1999","unstructured":"D. Eastlake. Domain Name System Security Extensions. IETF RFC 2535, IETF, 1999."},{"key":"e_1_3_2_1_31_1","volume-title":"IETF","author":"Elz R.","year":"1997","unstructured":"R. Elz and R. Bush. Clarifications to the DNS Specification. RFC 2181, IETF, 1997."},{"key":"e_1_3_2_1_32_1","unstructured":"Ending OCSP Support in 2025. https:\/\/letsencrypt.org\/2024\/12\/05\/ending-ocsp\/."},{"key":"e_1_3_2_1_33_1","volume-title":"RFC Editor","author":"Fujiwara K.","year":"2017","unstructured":"K. Fujiwara, A. Kato, and W. Kumari. Aggressive Use of DNSSEC-Validated Cache. RFC 8198, RFC Editor, 2017."},{"key":"e_1_3_2_1_34_1","unstructured":"Firefox DNS-over-HTTPS. https:\/\/support.mozilla.org\/en-US\/kb\/firefox-dns-over-https."},{"key":"e_1_3_2_1_35_1","volume-title":"Google Security Blog: Google Public DNS Now Supports DNSSEC Validation. https:\/\/security.googleblog.com\/2013\/03\/google-public-dns-now-supports-dnssec.html","author":"Gu Y.","year":"2013","unstructured":"Y. Gu. Google Security Blog: Google Public DNS Now Supports DNSSEC Validation. https:\/\/security.googleblog.com\/2013\/03\/google-public-dns-now-supports-dnssec.html, 2013."},{"key":"e_1_3_2_1_36_1","unstructured":"GLAM: Glean Aggregated Metrics Explorer - Mozilla. https:\/\/glam.telemetry.mozilla.org\/?"},{"key":"e_1_3_2_1_37_1","volume-title":"Let's Encrypt to end OCSP support","author":"Helme S.","year":"2025","unstructured":"S. Helme. Let's Encrypt to end OCSP support in 2025. 2024. https:\/\/scotthelme.co.uk\/lets-encrypt-to-end-ocsp-support-in-2025\/."},{"key":"e_1_3_2_1_38_1","volume-title":"On the universality of rank distributions of website popularity. Computer Networks, 50(11)","author":"Krashakov S. A.","year":"2006","unstructured":"S. A. Krashakov, A. B. Teslyuk, and L. N. Shchur. On the universality of rank distributions of website popularity. Computer Networks, 50(11), 2006."},{"key":"e_1_3_2_1_39_1","volume-title":"Revocation checking and Chrome's CRL","author":"Langley A.","year":"2012","unstructured":"A. Langley. Revocation checking and Chrome's CRL. 2012. https:\/\/www.imperialviolet.org\/2012\/02\/05\/crlsets.html."},{"key":"e_1_3_2_1_40_1","volume-title":"CRLite: a Scalable System for Pushing all TLS Revocations to Browsers","author":"Larisch J.","year":"2017","unstructured":"J. Larisch, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. CRLite: a Scalable System for Pushing all TLS Revocations to Browsers. IEEE S&P, 2017."},{"key":"e_1_3_2_1_41_1","unstructured":"J. Livingood. Comcast Voices: Comcast Completes DNSSEC Deployment. http:\/\/corporate.comcast.com\/comcast-voices\/comcast-completes-dnssec-deployment 2012."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815685"},{"key":"e_1_3_2_1_43_1","volume-title":"IETF","author":"Myers M.","year":"1999","unstructured":"M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. IETF RFC 2560, IETF, 1999."},{"key":"e_1_3_2_1_44_1","volume-title":"IETF","author":"Mockapetris P.","year":"1987","unstructured":"P. Mockapetris. Domain Names - Concepts and Facilities. RFC 1034, IETF, 1987."},{"key":"e_1_3_2_1_45_1","volume-title":"SIGCOMM","author":"Mockapetris P. V.","year":"1988","unstructured":"P. V. Mockapetris and K. J. Dunlap. Development of the Domain Name System. SIGCOMM, 1988."},{"key":"e_1_3_2_1_46_1","unstructured":"Mozilla: CRLite: Speeding Up Secure Browsing. https:\/\/blog.mozilla.org\/security\/2020\/01\/21\/crlite-part-3-speeding-up-secure-browsing\/."},{"key":"e_1_3_2_1_47_1","unstructured":"J. Nielsen. Zipf Curves and Website Popularity. https:\/\/www.nngroup.com\/articles\/zipf-curves-and-website-popularity\/."},{"key":"e_1_3_2_1_48_1","volume-title":"IETF","author":"Pala M.","year":"2017","unstructured":"M. Pala. OCSP over DNS (ODIN). draft-pala-odin-03, IETF, 2017."},{"key":"e_1_3_2_1_49_1","unstructured":"Revoking Intermediate Certificates: Introducing OneCRL. Mozilla Security Blog. http:\/\/mzl.la\/1zLFp7M."},{"key":"e_1_3_2_1_50_1","volume-title":"CloudFlare","author":"Sullivan N.","year":"2017","unstructured":"N. Sullivan. High-reliability OCSP stapling and why it matters. CloudFlare, 2017. https:\/\/blog.cloudflare.com\/high-reliability-ocsp-stapling\/."},{"key":"e_1_3_2_1_51_1","volume-title":"SECURITY RELEVANT for CAs: The curious case of the Dangerous Delegated Responder Cert","author":"Sleevi R.","year":"2020","unstructured":"R. Sleevi. SECURITY RELEVANT for CAs: The curious case of the Dangerous Delegated Responder Cert. 2020. https:\/\/groups.google.com\/g\/mozilla.dev.security.policy\/c\/EzjIkNGfVEE\/m\/XSfw4tZPBwAJ?pli=1."},{"key":"e_1_3_2_1_52_1","volume-title":"IETF","author":"Santesson S.","year":"2013","unstructured":"S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960 (Proposed Standard), IETF, 2013."},{"key":"e_1_3_2_1_53_1","unstructured":"SC-081: Introduce Schedule of Reducing Validity and Data Reuse Periods. https:\/\/github.com\/cabforum\/servercert\/pull\/553."},{"key":"e_1_3_2_1_54_1","volume-title":"NDSS","author":"Trevor S.","year":"2020","unstructured":"S. Trevor, D. Luke, and S. Kent. Let's revoke: Scalable global certificate revocation. NDSS, 2020."},{"key":"e_1_3_2_1_55_1","unstructured":"The Chromium Projects. https:\/\/www.chromium.org\/Home\/chromium-security\/crlsets\/."},{"key":"e_1_3_2_1_56_1","unstructured":"Verisign will help strengthen security with dnssec algorithm update. https:\/\/blog.verisign.com\/security\/dnssec-algorithm-update\/."},{"key":"e_1_3_2_1_57_1","volume-title":"IETF","author":"Wouters P.","year":"2019","unstructured":"P. Wouters, O. Sury, and I. S. Consortium. Algorithm Implementation Requirements and Usage Guidance for DNSSEC. IETF, 2019."},{"key":"e_1_3_2_1_58_1","volume-title":"IMC","author":"Zhang L.","year":"2014","unstructured":"L. Zhang, D. Choffnes, T. Dumitra\u015f, D. Levin, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. IMC, 2014."}],"event":{"name":"SIGCOMM '25: ACM SIGCOMM 2025 Conference","location":"S\u00e3o Francisco Convent Coimbra Portugal","acronym":"SIGCOMM '25","sponsor":["SIGCOMM ACM Special Interest Group on Data Communication"]},"container-title":["Proceedings of the ACM SIGCOMM 2025 Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3718958.3754351","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,27]],"date-time":"2025-08-27T16:59:02Z","timestamp":1756313942000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3718958.3754351"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,27]]},"references-count":58,"alternative-id":["10.1145\/3718958.3754351","10.1145\/3718958"],"URL":"https:\/\/doi.org\/10.1145\/3718958.3754351","relation":{},"subject":[],"published":{"date-parts":[[2025,8,27]]},"assertion":[{"value":"2025-08-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}