The Domain Name System Security Extension (DNSSEC) leverages public-key cryptography to provide data integrity, source authentication, and denial of existence for DNS responses. To complement DNSSEC operations, DNSSEC Look-aside Validation (DLV) is designed for alternative off-path validation. Although DNS privacy attracts a lot of attention, the privacy implications of DLV are not fully investigated and understood. In this paper, we take a first in-depth look into DLV, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, including the lax specifications of DLV. We also propose two approaches to fix the privacy leakages. Our approaches require trivial modifications to the existing DNS standards, and we demonstrate their cost in terms of latency and communication.

中文翻译：

---

旁观风险自负：DNSSEC 旁观验证对隐私的影响

域名系统安全扩展 (DNSSEC) 利用公钥加密技术为 DNS 响应提供数据完整性、源身份验证和拒绝存在。为了补充 DNSSEC 操作，DNSSEC 后备验证 (DLV) 旨在用于替代路径外验证。尽管 DNS 隐私引起了很多关注，但 DLV 的隐私影响并未得到充分调查和理解。在本文中，我们首先深入研究了 DLV，重点介绍了其宽松的规范和隐私影响。通过在综合实验设置下对域名数据集进行大量实验，我们的研究结果坚定地证实了 DLV 引起的隐私泄漏。我们发现大量不应发送到 DLV 服务器的域被泄露。我们探索根本原因，包括 DLV 的松散规格。我们还提出了两种解决隐私泄漏的方法。我们的方法需要对现有 DNS 标准进行微不足道的修改，并且我们展示了它们在延迟和通信方面的成本。