Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

The State of Routing Security at DNS Registries

The Domain Name System (DNS) is an important component of the Internet, but it was not designed with security in mind. In the last 20 years or so, much attention has been directed at improving its inherently insecure aspects.

This includes the deployment of DNS Security Extensions (DNSSEC) that enables cryptographic validation of DNS records, and more recently DNS-over-TLS and DNS-over-HTTPS, which encrypts DNS transactions between hosts and resolvers.

The DNS, though, is also dependent on the global routing system for sending DNS queries from resolvers to servers, and then returning the responses. The integrity of the routing system is, therefore, extremely important for ensuring DNS transactions are delivered efficiently to the correct destination. Yet, at present, few DNS registries are implementing Routing Public Key Infrastructure (RPKI), a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol (BGP).

A survey of 4,138 zones – that included 1,201 generic top-level domains (gTLDs), 308 country code top-level domains (ccTLDs), 271 reverse map zones, and 1,780 sub-ccTLD zones – showed a total of 6,910 route origins for the name servers that are serving these zones.

Yet, just 22% of these had valid Route Origin Authorisations (ROA), a digitally signed object that verifies an IP address block holder has authorized an AS (Autonomous System) to originate routes to that one or more prefixes within the address block.

Whilst the figures for the reverse map zones (53%) and ccTLD zones (34%) give evidence of deployment, they are significantly lower for the gTLD zones (11%). In fact, around 40% of TLDs have no ROA deployment at all, with 20% only having partial deployment.

These findings are discussed in more depth in “A Look at Route Origin Authorizations Deployment at DNS Registries” on the MANRS website. It is important to highlight an aspect of DNS security that has been somewhat overlooked.

If you’re interested in finding out more about why important routing security is so important, please also read our five-part Introduction to Routing Security.