en

2015 Will be a Good Year for DNSSEC

10 February 2015

Richard Lamb

In addition to the U.N. six languages, this content is also available in

Thanks to a major web hosting provider's broad adoption of DNSSEC, 2015 may be the year when we reach the "knee" in DNSSEC benefits curve. DNSSEC adds cryptographic records (also called digital signatures) alongside existing DNS records to ensure that end users can detect any changes during the domain name resolution process. The cryptographic protection is called "signing".

The root of the DNS was signed in 2010 [1]. Following recent, brisk DNSSEC deployment, over 78% of TLDs are now signed[2], and increasing numbers of end users are validating [3] DNS lookups: current measurements show validation at 12% worldwide, 25% US, and 62% Sweden [4]. The last measurement is important and promising: when end users "validate" that DNS records are signed, they are effectively protecting themselves from unauthorized modifications and attacks such as cache poisoning [5].

The Internet’s infrastructure is well on its way to fully supporting DNSSEC. However, for DNSSEC to be effective domain names must be signed as well. This has been a difficult goal to achieve with only approximately 2-3% of names signed. This slow adoption pace may soon change. Web content and DNS hosting provider CloudFlare [6] has announced that it is going to deploy DNSSEC across its platform. The anticipated visible increase in DNSSEC signed web sites following Cloudflare's deployment should cause a jump in the number of end users, content providers, and innovators[7] benefiting from DNSSEC. More users will benefit from validation and competition may drive more major providers to DNSSEC as well.

How do we keep the momentum going?

The benefits of DNSSEC will only be fully realized after there is widespread deployment. It is therefore important for us to continue DNSSEC awareness raising efforts as one step in securing the Internet. I am proud to say as part of the Internet Community, we have been instrumental in doing this thus far. Let's keep the pressure on.

Dr. Richard Lamb
Sr. Program Manager, DNSSEC
ICANN

[1] Signing the root is a joint effort with the Community and our root zone management partners. http://www.root-dnssec.org/
[2] DNSSEC TLD stats. https://rick.eng.br/dnssecstat/
[3] If a domain name is signed, responses from DNS lookup requests are validated (checked for unexpected modifications which might indicate an attack) by your ISP’s, enterprise, or personal DNS resolver. Therefore the continued rise in the number of users relying on a DNSSEC enabled resolver is critical.
[4] DNSSEC validating resolver stats. http://gronggrong.rand.apnic.net/cgi-bin/worldmap
[5] Cache poisoning http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
[6] https://blog.cloudflare.com/help-us-test-our-dnssec-implementation/
[7] With DNSSEC, the DNS becomes a global secure database for the distribution of more than standard DNS records. This has energized those looking to improve the security of the Internet and the Internet of Things. E.g., DANE http://www.internetsociety.org/deploy360/resources/dane/





Richard Lamb