[dns-operations] A survey of security related DNS record deployment

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Dec 30 16:32:32 UTC 2020 

On Wed, Dec 30, 2020 at 03:42:01PM +0000, Robert Mortimer wrote:

>  Yes the sample size is rather small it's a personal project so
>  there's a limit to what I can do. I've been increasing the sample
>  size as I can using what lists I have access to so that my working is
>  clear. The bias is more towards organisations operating in the DNS
>  sector who one would hope would be setting an example in deploying
>  the technologies surveyed. As weaknesses at the Domain
>  registration/DNS hosting level have a disproportionate impact,
>  likewise the large players adopting established security methods is
>  far more relevant than smaller organisations. No one cares if my
>  personal domain has DNSSEC and all the rest, that facebook doesn't is
>  far more significant. 

I don't expect the largest players to lead with their own domains first.
The politics of that is likely too difficult until overall adoption by
more nimble players is higher, and that's what I expect we'll start
seeing to change in 2021.

> DNSSEC for 15 - so it's not like there hasn't been time for adoption.

That number is not relevant.  The specs have been around for 15 years,
but many more pieces have to fall into place, before broad adoption is
possible.

    * Support by gTLDs and TLDs
    * Support by registrars
    * Mature support in DNS iterative resolvers
    * Mature support for automatic signing in auth servers
    * Inclusion of up-to-date version of the above in stable
      O/S releases.
    * Applications that benefit directly from DNSSEC, e.g. DANE SMTP,
      the new HTTP service records, ...

All the above take years to play out, often sequentially.

> According to verisign (https://www.verisign.com/en_GB/domain-names/dnib/index.xhtml )
> "The third quarter of 2020 closed with 370.7 million domain name registrations across all top-level domains"

Yes, the DANE survey (also a personal project) covers around 300 million
names as potential inputs, ccTLD coverage is incomplete, but I still
manage put together around 80-90% of the larger ccTLDs from various
indirect sources.  So coverage of signed domains is pretty good.

The biggest gap is a "dark pool" of signed parked domains under .BR,
which is reported in their stats, that show twice as many signed domains
as I've found, but is not otherwise visible, and also not particularly
compelling to survey, since they're parked...

> Which means that 13.5 million signed domains is 3.6% which is lower
> than my survey found overall, so I'm possibly being optimistic, but
> when the number of ICANN accredited registrars who have signed their
> domains is in single digits and the domains used by nameservers is
> around the 3% mark it's hardly a roaring success.

I am more interested in the trajectory, than the absolute number at the
moment.  The growth rate is currently ~3.3 million per year, and since
we're not adding 100 million domains per year overall, the percentage is
going up noticeably.  There are also signals from some large players that
the *rate* of growth could go up significantly next year, so let's talk
again at or before the end of 2021.

> If there is a larger survey or how well these records are being
> deployed or you can suggest a data set I can include to make the
> sample more representative I'll be delighted to improve my methods. 

I have a large data set, but I am bound by various agreements to not
share it... :-(

-- 
    Viktor.

More information about the dns-operations mailing list