Deploy360 Domain Name System Security Extensions (DNSSEC)

How Do We Measure DNSSEC Deployment?

Map of DNSSEC-validating usersHow do we measure the actual deployment of DNSSEC?  How can we know how many domain name holders have signed their zones with DNSSEC? How can we find out how many ISPs have deployed DNSSEC-validating resolvers? How do we count how many applications or operating systems have built-in support for DNSSEC validation?

At first glance, some of these would appear to be simple questions to answer – “well, can’t you just count up the number of DS records in a top-level domain?” But the reality is that it’s not quite that simple.  There are sites providing DNSSEC deployment statistics and some TLDs are making DNSSEC usage available… but that’s not true across the board.  And the validation question is quite difficult due to the distributed and decentralized nature of the Internet.  We recently wrote about some work Verisign Labs is undertaking to measure validation, but that work is just beginning.

The APNIC Experiment

So we were delighted to see the post, “Counting DNSSEC” and accompanying presentation from Geoff Huston and George Michaelson at APNIC Labs where they dug into this DNSSEC measurement issue in a unique way.  As Geoff writes, they set out to look at these questions:

  • How many zones are DNSSEC signed?
  • How many DNS queries are DNSSEC-validated?
  • How many DNS resolvers are DNSSEC-capable?
  • How many users are using DNSSEC-aware DNS resolvers?

But rapidly concluded that these precise questions were difficult to answer – and so they decided to look a bit more broadly at these questions:

  • What proportion of DNS resolvers are DNSSEC-capable?
  • What proportion of users are using DNSSEC-validating DNS resolvers?
  • Where are these users?

Their measurement technique was to use advertisements in web browsers displayed through an advertising network.  They used a flash-based ad that made multiple DNS requests without user intervention, i.e. the user didn’t have to click on the ad – just the action of displaying the ad triggered the measurements.

They ran the test from September 10-17, 2012, and observed 57,268 unique IP addresses requesting the DNS records. Some of the conclusions were interesting:

  • 4% of DNS resolvers performed DNSSEC validation
  • 9% of end-client systems were using a DNSSEC-validating resolver

Their post goes through all this in great detail and provides a much more thorough explanation than I can do here.

They then went on to look at where the users were coming from and provide charts segmenting their data in multiple different ways.   They summarized all of this in a presentation to the recent RIPE 65 event complete with charts showing the validation by country.  I’d highly recommend you take a look at that presentation as it provides an excellent view into all this data.

As with any survey like this, you can always wonder about the distribution of people seeing the displayed ad. My first thought was that as I browse with Flash disabled by default I would never have triggered their measurement had it been displayed on my screen.  Similarly many mobile devices might not execute Flash, notably Apple devices, and so it would miss those users.

But even with those caveats, this is an excellent piece of work as an attempt to perform some basic measurements.  Geoff notes at the end of the post that they’ll perform another look at DNSSEC deployment in a few months time, and we’re very much looking forward to seeing what difference they’ll measure in that next look.

What Else Can Be Done?

Beyond this work, we are still thinking a great bit about what else can be measured.  For instance, can we as an industry develop:

  • a count of registrars supporting DNSSEC by allowing upload of DS records?
  • a count (or %) of DNS hosting providers providing automated DNSSEC signing?
  • a % of ISPs providing validating name servers?
  • a % of signed second-level domains?

On this last point, there are great examples already out there including the PowerDNS stats for .NL and other domains, the Verisign Labs scoreboard for .COM/.NET/.EDU and the NIST statistics for the US Gov’t and industry, but it would be even better if we could aggregate this information and also obtain that information for other TLDs.

How can we best measure the deployment of DNSSEC?  It’s an interesting question… do you have any thoughts about other methods and mechanisms?