Deploy360 Domain Name System Security Extensions (DNSSEC)

BT Releases Results of 2014 DNSSEC Survey

BT-Diamond-IP-2014-DNSSEC-SurveyBT Diamond IP just published the results of their 2014 DNSSEC survey and the report is available for all to download for free.  Back in October, I’d encouraged people to take the survey to help gain an understanding of DNSSEC deployment and BT’s Tim Rooney noted in his post about the survey that this year there was a high amount of participation by people who had already deployed DNSSEC:

Clearly this year’s survey attracted active deployers of DNSSEC, which contrasts sharply with the 2012 survey where less than 25 percent of respondents had already deployed or were actively deploying DNSSEC validation and signing.

In fact, the way I read his tables on page 4 over 60% of respondents had deployed DNSSEC and another 10% were in the process of doing so.  Not exactly representative of the overall industry! (Unfortunately)  Still, though, I think the report provides useful insight into DNSSEC deployment from the point of view of people who have deployed the technology.  (By the way, we did write about the 2012 report back when it came out.)

Tim also relays these highlights of the 2014 report:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

I’ll definitely agree with his last point about reducing complexity and that’s something that I know we and others within the industry continue to champion … any way that we can add more automation or make the user experience simpler will go far to help advance DNSSEC deployment.

I found a number of the other charts quite interesting such as the reasons for NOT deploying DNSSEC as well as those about what software was being used.  All in all I think the report is a useful contribution to the ongoing discussions around DNSSEC.  I’d like to see more of these type of surveys so that we can continue to build out a picture of DNSSEC deployment as well as the challenges that need to be addressed.

Thanks to Tim Rooney and the others at BT Diamond IP for compiling this survey!