[dns-operations] A survey of security related DNS record deployment

Robert Mortimer Robert.Mortimer at nominet.uk
Wed Dec 30 15:42:01 UTC 2020 

Hi,

 Yes the sample size is rather small it's a personal project so there's a limit to what I can do. I've been increasing the sample size as I can using what lists I have access to so that my working is clear. The bias is more towards organisations operating in the DNS sector who one would hope would be setting an example in deploying the technologies surveyed. As weaknesses at the Domain registration/DNS hosting level have a disproportionate impact, likewise the large players adopting established security methods is far more relevant than smaller organisations. No one cares if my personal domain has DNSSEC and all the rest, that facebook doesn't is far more significant. 

I know that infrastructure change is slow to happen, but SPF has been around for 14 years, DNSSEC for 15 - so it's not like there hasn't been time for adoption. Though in fairness SPF doesn't have a terrible deployment rate.

According to verisign (https://www.verisign.com/en_GB/domain-names/dnib/index.xhtml )
"The third quarter of 2020 closed with 370.7 million domain name registrations across all top-level domains"
Which means that 13.5 million signed domains is 3.6% which is lower than my survey found overall, so I'm possibly being optimistic, but when the number of ICANN accredited registrars who have signed their domains is in single digits and the domains used by nameservers is around the 3% mark it's hardly a roaring success.

If there is a larger survey or how well these records are being deployed or you can suggest a data set I can include to make the sample more representative I'll be delighted to improve my methods. 

When the systems providing DNS services, which everything else depends on, can't deploy security features that make use of DNS a decade or more after they were first introduced, I'd suggest there is a significant problem somewhere. 

-----Original Message-----
From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf Of Viktor Dukhovni
Sent: Wednesday, December 30, 2020 1:44 AM
To: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] A survey of security related DNS record deployment

On Tue, Dec 29, 2020 at 10:53:02AM +0000, Robert Mortimer wrote:

> I had a bit of time over Christmas so got round to doing my
> annual(ish) survey of how widely various security related DNS records 
> ( CAA, SPF, DMARC, DNSSEC etc. ) have been adopted. Adoption rates are 
> backsliding compared to previous years if anything.

The sample size is rather small, and strongly biased towards the domains of large established players, where change in infrastructure is slow to happen.  Overall DNSSEC use has increased substantially since 2017, and growth has picked up particularly in 2020.

    https://stats.dnssec-tools.org/

In 2017, reports were of ~7 million total DNSSEC domains, now more than
13.5 million.  The number of signed ".com" domains (even without incentive payments) has increased more than 3-fold:

    https://stats.dnssec-tools.org/tld-graphs/com.png

You just don't see this in the top 50 web sites as yet, but 2021 looks promising for increasingly strong growth.

> If this is due to lack of perceived business benefit, cost of adoption 
> or lack of awareness I don't know. I do suspect that either some thing 
> needs to be done to promote a wider adoption or they need to be 
> consigned to history to free up resources to find better solutions.

My take is that the sample is too narrow to draw broad conclusions.

-- 
    Viktor.
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list