In his regular monthly spot on PING, APNIC’s Chief Scientist Geoff Huston continues his examination of DNSSEC. In the first part of this two-part story, Geoff explored the problem space, with a review of the comparative failure of DNSSEC to be deployed by zone holders, and the lack of visible validation by the resolvers. APNIC Labs can observe this through carefully designed DNS zones that include both valid and invalid DNSSEC states. These zones are part of Labs’ method for measuring user activity.
This second episode provides some optimism for the future. It examines potential changes to the DNS protocol and the use of existing DNS features to enhance the safety of deploying DNSSEC. Establishing trust in domain names offers significant advantages, especially as a ‘service’ to the widely used Transport Layer Security (TLS) protocol.
Read more about DNSSEC and TLS on the APNIC Labs website and the APNIC Blog:
- Calling time on DNSSEC (Geoff Huston, APNIC Blog, June 2024)
- ‘Keytrap’ attacks on DNSSEC (Geoff Huston, APNIC Blog, June 2024)
- DNS topics at RIPE 88 (Geoff Huston, APNIC Blog, June 2024)
- The Tranco list
- DNSSEC validation client usage (APNIC Labs)
- DNSSEC-enabled domains from Cloudflare public DNS (APNIC Labs)
Subscribe and share your story
You can stream and subscribe to PING via the following channels:
If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. Please let us know what you think of the podcast and the APNIC Blog so we can keep improving.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.