A quick review of DNSSEC Validation in today’s Internet

Slides:



Advertisements
Similar presentations
Policy Aspects of the Transition to IPv6 Geoff Huston Chief Scientist, APNIC.
Advertisements

Measuring IPv6 Geoff Huston APNIC Labs, February 2014.
IPv6 seen from DNS Dr. WANG Xin, CNNIC Labs 25 Aug 2009.
Measuring the DNS from the Users’ perspective Geoff Huston APNIC Labs, May 2014.
May 2015 Update on Measuring IPv6 Geoff Huston, George Michaelson APNIC Labs March 2015.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Daily Geography Week 15.
©2006 Prentice Hall MRKG 2312 E-Commerce. ©2006 Prentice Hall4-1 E-Marketing 4/E Judy Strauss, Adel I. El-Ansary, and Raymond Frost Chapter 4: Global.
The User Side of DNSSEC Geoff Huston APNIC. What is DNSSEC? (the ultra-short version) DNSSEC adds Digital Signatures to DNS All DNS “data” is signed by.
George Michaelson, Geoff Huston APNIC Measuring IPv6 Users.
Geoff Huston APNIC Labs
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Global Lesson Social Studies On-line Continents Second Grade Social Studies On-line Continents Second Grade.
Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
Measuring IPv6 Deployment Geoff Huston George Michaelson
Measuring IPv6 Deployment Geoff Huston George Michaelson
APNIC Depletion of the IPv4 free address pool – IPv6 deployment The day after!! 8 August 2008 Queenstown, New Zealand In conjunction with APAN Cecil Goldstein,
Measuring DNSSEC Geoff Huston APNIC Labs, June 2014.
Measuring DNSSEC Use Geoff Huston & George Michaelson
Measuring DNSSEC Validation: A Brief Update on DNSSEC Validation numbers, with an Asia Focus Geoff Huston APNIC Labs January 2015.
Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…
+ The Internet and Current Issues Thomas Johnson and James Prow.
DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.
What if Everyone Did It? Geoff Huston APNIC Labs.
PacINET 2011 The state of IP address distribution and its impact Elly Tawhai Senior Internet Resource Analyst/Liaison Officer, Pacific, APNIC 1.
DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis.
SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Rolling the Root Geoff Huston APNIC Labs March 2016.
A Speculation on DNS DDOS
Getting started with ICANN
DNS Security Advanced Network Security Peter Reiher August, 2014
Geoff Huston APNIC March 2017
Auto-Detecting Hijacked Prefixes?
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
DNSSEC Deployment Challenges
State of DNSSEC deployment ISOC Advisory Council
Geoff Huston APNIC Labs
Geoff Huston APNIC Labs
May 2015 Update on Measuring IPv6
DNSSEC Operations in .gov
Geoff Huston APNIC Labs September 2017
Geoff Huston APNIC Labs
draft-huston-kskroll-sentinel
A Speculation on DNS DDOS
DNS over IPv6 - A Study in Fragmentation
DNSSEC Basics, Risks and Benefits
Servicenumber.org/internet-explorer. Resolve Issue Internet Explorer.
Geoff Huston, Joao Damas APNIC Roy Arends ICANN
Geoff Huston APNIC Labs May 2018
D* (DNS, and DNSSEC and DDOS)
Safest Countries On The Planet!
Re-Engineering the Root of the DNS
Transferred IPv4 Addresses
Measuring KSK Roll Readiness
Åsa Olsson, Head Information and publishing Communication Department
Geoff Huston APNIC Labs
BR: T2D21 Greenland (Den) Iceland Finland Sweden Russia Norway Great
Measuring KSK Roll Readiness
DNS Operations SIG Feb APNIC19, Kyoto, Japan
Content Delivery and Remote DNS services
HOW THE WORLD WORKS Part 1 Activity 3 Taking a second look
APNIC’s Engagement on Security
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
ECDSA P-256 support in DNSSEC-validating Resolvers
What part of “NO” is so hard for the DNS to understand?
Neda Kianpour - Lead Network Engineer - Salesforce
The Resolvers We Use Geoff Huston APNIC.
Presentation transcript:

A quick review of DNSSEC Validation in today’s Internet Geoff Huston APNIC June 2016

What is being measured? Clients who will perform DNSSEC validation of a domain name Using RSA/SHA-1 as the crypto algorithm Who will not resolve a badly-signed domain name We are NOT measuring: Validating resolvers Signed domains

What is not being measured? We are NOT measuring: Validating resolvers Its actually quite a challenge to isolate the DNSSEC validation behaviour of a recursive resolver from query logs. And if the aim is to measure the user impact here, then it makes more sense to measure the number of users who use DNSSEC validating resolvers rather than the resolvers themselves Signed domains This has its own challenges relating to zone enumeration in the DNS, and we are not undertaking that here!

The Global Validation Picture 0% 50% 100% http://stats.labs.apnic.net/dnssec

The Global Validation Picture Nordic concentration of DNSSEC! ? Use of Google’s PDNS 0% 50% 100% % of users in a country that use DNSSEC validating resolvers http://stats.labs.apnic.net/dnssec

The Global Picture

The Global Picture 2014 2015 2016

Some have been Validating for many years Sweden – 80 % Comcast – 90% Romania – 45 % Estonia – 60 %

Recent DNSSEC Validation Claro, BR – 90% ICENET, IS – 90% Faroe Islands - 90% New Zealand - 50%

Finland

Finland – Top 10 ISPs

The Bigger Picture Much of the African continent and parts of Asia still show high DNSSEC validation rates due to their use of Google’s Public DNS service (which currently receives 12% of the Internet’s query load) Comcast resolvers are a major validation system in North America and this resolver collection performs the second highest volume of validation Recent areas of switching on DNSSEC validation in DNS resolvers are in Iceland, Norway, Brazil, Nepal, New Zealand and Papua New Guinea

But Growth of validation deployment has slowed 80% of all current queries request DNSSEC credentials 26% of all current queries perform DNSSEC validation 11% of current queries turn to a non-validating resolver upon SERVFAIL 15% of current queries will perform validation and live with the outcome

Thanks! DNSSEC Reports: http://stats.labs.apnic.net/dnssec

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.