In April this year, DNSSEC passed a milestone, reaching 25% validation worldwide.
It continues an incredible turnaround for the often criticized security protocol, thanks largely to high adoption rates in Saudi Arabia and Nordic economies, all of which have DNSSEC validation rates well above 80%. This is in stark contrast to my home economy, Japan, where the adoption rate has lingered below 10% for the past six years.
Why is DNSSEC penetration so low in Japan?
First, a reminder that there are two parts to DNSSEC:
- Signing the zone — the zone administrator must generate cryptographic signatures on DNS records in a zone (or sign the zone).
- Validating the signature — A DNS client needs to check if the cryptographic signature is expected for this record, and that the signature record that they received is authentic.
This makes the number of signed DNS records another useful metric for understanding the uptake of DNSSEC (Figure 2). And like DNSSEC validation, it too has risen steadily over the past few years (Figure 2).
The Japan Registry (JPRS) started DNSSEC related services from 2011 and after a year the number of zone delegations with DS Record (which is close to the number of signed domain names, but does not infer if it is signed correctly) exceeded 400.
Our community was buoyed by this initial growth in signed zones and believed that it would continue, but, as of 2019, the number astonishingly remains below 500.
We think that there are various reasons for this lack of uptake. One of the most important reasons is whether the signature comes first or the validation comes first. This is the so-called “chicken or the egg” problem in the DNSSEC field.
There is no doubt the numbers of signed DNS zones and validations are key indicators of DNSSEC penetration. However, it would be unwise to refer to modest national adoption rates of DNSSEC signatures and validation as reason to not adopt them yourself but consider the global adoption rate as well, given the Internet/DNS reaches further than national borders.
In an effort to understand how other economies have adopted DNSSEC more than Japan, I interviewed organizations in Sweden, Iceland, and Saudi Arabia, which as mentioned have been instrumental in the increase in the percentage of worldwide DNSSEC validation.
What can we learn from other economies?
In Sweden, both DNSSEC signatures and validation have been widely implemented for quite some time, with validation over 85% (Figure 3).
According to those we interviewed, much of this success has been due to the Swedish registry signing the .SE country code top-level domain (ccTLD) early on. They also noted the extensive training courses that were offered, subsidies to registrars that signed their zones and the success of Meetups (technical exchange and study meetings), where several major telecommunications carriers, who first supported DNSSEC validation, shared their experiences with small and medium carriers.
If you look at the spread of signed DNS zones in Sweden (Figure 4), you can see that almost half of all domain names are signed, indicating that the spread is very widespread.
Next is Iceland, a relatively compact economy with a population of around 360,000. Although the number of signed DNS zones is relatively small, validation is widespread at about 95%, primarily due to three major ISPs supporting DNSSEC validation (Figure 5).
Our interviewee said he has worked with ICANN to provide training and other initiatives to promote DNSSEC.
Finally, in Saudi Arabia, DNSSEC validation is around 96% having grown from 5% to 60% from mid- to the end of 2018 (Figure 6).
According to those we interviewed, this 55% jump in 2018 was the result of the regulatory body, the Telecommunications Information Technology Commission (CITC), setting key performance indicators for the penetration rate of DNSSEC validation and enforcing DNSSEC validation for ISPs.
Awareness and promotion are key
In all of these examples, it’s obvious that incentives and active awareness and promotion are needed to drive DNSSEC adoption — conclusions that are shared by another recent study as well.
One point that has stuck with me from the interviews was a discussion with a Swedish DNS engineer about the problem of validation failure due to a problem with the authority’s signature:
“When there was a problem with the authority’s signature, the ISP’s validator should wait for the fix (without temporarily disabling DNSSEC validation of the offending domain name).”
Anonymous Swedish DNS engineer
I agree, but on the other hand, if the customer can’t resolve the name, I have a desire to resolve it and my thoughts are complicated.
Let me know your thoughts and what DNSSEC successes you’ve seen or had in your economies in the comments below.
Acknowledgement: I would like to express our sincere gratitude to the following specialists: Roger Murray (The Swedish Internet Foundation), Jens Petur Jensen (ISNIC) and Abdullah Alshammari (SaudiNIC). They were willing to participate in the interviews and discussions about the penetration of DNSSEC. The input from them has given us great insight into our future activities.
Adapted from original post which appeared on the JPNIC Blog.
Yoshibumi Suematsu is an engineer of QTnet, a Japanese ISP, and has been involved in the construction and operation of DNS and email services. Areas of interest are DNSSEC and DNS security. Recently, he has also been working on research into improving fault tolerance in the event of a large-scale disaster. He has been involved in the management of the community DNSOPS.jp since 2018.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.