In his regular monthly spot on PING, APNIC’s Chief Scientist Geoff Huston examines the apparent failure of DNSSEC to achieve widespread deployment in the market, even after 30 years. This is evident in two areas — the slow adoption rate of signed zones (supply side), and the low levels of verification by DNS client users (consumption side). Compared to the ubiquitous adoption of TLS for secure website connections, it is clear that DNSSEC is not gaining significant traction.
Geoff observes this by measuring client DNSSEC use in the APNIC Labs measurement system and tests of the DNS behind the Tranco top website rankings.
This is both a problem (the market failure of a trust model in the DNS is a pretty big deal!) and an opportunity (what can be done to make DNSSEC, or some replacement, viable), which Geoff explores in the first of two parts.
This ‘cliffhanger’ conversation about the problem side of things will be followed by a second episode that offers some hope for the future. In the meantime, here’s the first part, discussing the scale of the problem.
Read more about DNSSEC and TLS on the APNIC Labs website and the APNIC Blog:
- Calling time on DNSSEC (Geoff Huston, APNIC Blog, June 2024)
- ‘Keytrap’ attacks on DNSSEC (Geoff Huston, APNIC Blog, June 2024)
- DNS topics at RIPE 88 (Geoff Huston, APNIC Blog, June 2024)
- The Tranco list
- DNSSEC validation client usage (APNIC Labs)
- DNSSEC-enabled domains from Cloudflare public DNS (APNIC Labs)
Subscribe and share your story
You can stream and subscribe to PING via the following channels:
If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. Please let us know what you think of the podcast and the APNIC Blog so we can keep improving.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.