DNSSEC Deployment Today

Wolfgang Nagele — Aug 30, 2011 11:00 AM
Filed under: ,
The RIPE NCC has been signing its zones since 2005. Other operators waited for the root to be signed. And signing the root zone in June 2010 clearly encouraged others to deploy DNSSEC. In this article we describe the status of those zones maintained by the RIPE NCC and give an overview of the global deployment of DNSSEC.

The Domain Name System Security Extensions (DNSSEC) is a suite of IETF developed specifications designed to validate information provided by the Domain Name System (DNS).

A number of early adopters deployed DNSSEC for the domain they are responsible for. Among these early adopters were the country code Top Level Domains (ccTLDs) .br, .bg, .cz, .pr, .se and the generic Top Level Domain (gTLD) .org. Besides TLD operators, organisations like the RIPE NCC and the RIPE community as a whole were on the forefront of DNSSEC development. The RIPE NCC has signed it’s DNS zones since 2005. However, many TLD operators waited for the root zone to be signed before they started deploying DNSSEC.

When the root zone has been signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then.

The maps below show the level of DNSSEC deployment in the world to date. Those countries marked green have deployed DNSSEC in their ccTLD today. Those marked yellow have plans to deploy it in the near future.

DNSSEC Deployment in Europe
Figure 1: DNSSEC in European ccTLDs (green=deployed, yellow=planning to deploy)

 

DNSSEC Deployment in North America

Figure 2: DNSSEC Deployment in North America


DNSSEC Deplyment in South America

Figure 3: DNSSEC Deployment in South America

 


DNSSEC Deplyment in the Asia Pacific

Figure 4: DNSSEC Deployment in Asia Pacific

DNSSEC Deplyment in Africa

Figure 5: DNSSEC Deployment in Africa

As far as we are informed, no countries in the Middle East are currently planning to deploy DNSSEC. If you have other information, please let us know so that we can update the article.

At the core of DNSSEC is a so called chain-of-trust which uses the hierarchy by which a domain is delegated from the root zone to a TLD and then to the domain operator. For DNSSEC to be fully useful, this chain of trust needs to be complete. This means that for a domain owner DNSSEC becomes truly useful once the TLD that domain is under is signed, too.

The RIPE NCC is maintaining zones in domains under several TLDs. The vast majority of the zones under these TLDs are by now supporting DNSSEC, because the parent zones allow delegation signer (DS) records to be included and therefore completing the chain of trust. Recently we also enabled the IPv4 reverse zones in the in-addr.arpa parent zone.

RIPE NCC Signed Zones

Figure 6: Zones with (blue) and without DNSSEC

As shown on the right hand side of Figure 2 above, the only zones in which we cannot yet include the trust anchors in the parent zone, are:

  • 203.in-addr.arpa (maintained by APNIC)
  • 196.in-addr.arpa (maintained by AfriNIC)
  • 6.0.1.0.0.2.ip6.arpa (maintained by SurfNET)
  • .int (maintained by IANA)
  • .cc (ccTLD of the Cocos (Keeling) Islands)

We expect that at the end of this year, only three of them will be left in which we cannot include our DS records: 196.in-addr.arpa, .int and .cc. That is considered a huge progress since the root zone has been signed.

Below you can see a graph showing DS records inside our reverse zones. We observe a steady increase. In total there are currently 450 DS records in our zones.

DS RRs in RIPE NCC Reverse ZonesFigure 7: Number of DS records in RIPE NCC maintained reverse zones over time

Considering that the RIPE NCC maintains some 500.000 reverse delegations, this number is still very small. However, the recent increase is encouraging.

From our point of view we are pleased with the progress that DNSSEC has made since the root zone has been signed a year ago. There has been a lot of speculation, and in a poll done amongst many industry experts very few expected that signing the root zone would have such a substantial and fast impact on the number of TLDs getting signed.

8 Comments

Simon Leinen
Simon Leinen says:
Sep 01, 2011 10:15 PM
Correction: 6.0.1.0.0.2.ip6.arpa is not maintained by SURFnet, although 0.1.6.0.1.0.0.2.ip6.arpa is.
Wolfgang Nagele
Wolfgang Nagele says:
Sep 02, 2011 10:34 AM
Hi Simon,

The pie chart was trying to reflect the top-level zones (by our very own definition ;)). The idea was to have a "normalized" pie-chart with equally-weighted zones.

Regards,
Wolfgang
shane
shane says:
Sep 05, 2011 11:36 AM
Nice graphics!

I was wondering about the percentage of zones that are covered by these DS records. As we saw with IPv6 traffic reported by Arbor Networks, growth in absolute numbers may still mean a decline in relative numbers. :(

For the reverse tree, this can be measured by domains, but even more interestingly by address space that those domains represent.

Just a thought. :)
Maurizio Martinelli
Maurizio Martinelli says:
Sep 06, 2011 01:14 PM
I don't know where the information regarding the "DNSSEC Deployment Today" has been collected. Italy is grey in map, while .IT is working on DNSSEC and plans to deploy it in the near future.

Best regards,
Maurizio Martinelli
.IT Technical Manager
mirjam
mirjam says:
Sep 13, 2011 12:59 PM
Dear Maurizio,
Sorry for the late response. We used the data listed in the ICANN TLD DNSSEC Report. If .it is planning to deploy DNSSEC, we'd be happy to update the map in the article. Do you know when DNSSEC will be deployed in the .it registry?

Kind Regards,
Mirjam Kuehne
Wolfgang Nagele
Wolfgang Nagele says:
Sep 14, 2011 06:22 AM
Hi Maurizio,

As for the planned deployments - we did our best in summarizing the DNSSEC plans we could find on public mailing lists. We are very happy to hear about plans of others and update the map accordingly.

Regards,
Wolfgang
Luis Espinoza
Luis Espinoza says:
Apr 25, 2012 01:24 AM
.cr is already signed
Mirjam Kühne
Mirjam Kühne says:
Apr 25, 2012 11:02 AM
Thanks, Luis. We will include .cr next time we'll update the maps.
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.

Related Items
NTP Reflections

After the recent amplification attacks involving NTP servers, John Kristoff, a researcher with Team ...

Report on IPv6 Security Test Methodology

The Dutch Institute for Applied Scientific Research (TNO) and a number of Dutch security companies ...

Slight Increase in DNS Resolvers Doing Priming Queries after .arpa Signing - Why?

The roll-out of a signed root-zone at K-root on 24 March 2010 was uneventful. But we saw the number ...

Preparing K-root for a Signed Root Zone

Earlier this year, ICANN and VeriSign announced plans to sign the DNS root zone, using DNSSEC. ...

Abuse Handling in the RIPE Database

This article describes a technical design for the introduction of abuse contact details in the RIPE ...