October 2, 2012 archive

How Do We Measure DNSSEC Deployment?

Map of DNSSEC-validating usersHow do we measure the actual deployment of DNSSEC?  How can we know how many domain name holders have signed their zones with DNSSEC? How can we find out how many ISPs have deployed DNSSEC-validating resolvers? How do we count how many applications or operating systems have built-in support for DNSSEC validation?

At first glance, some of these would appear to be simple questions to answer – “well, can’t you just count up the number of DS records in a top-level domain?” But the reality is that it’s not quite that simple.  There are sites providing DNSSEC deployment statistics and some TLDs are making DNSSEC usage available… but that’s not true across the board.  And the validation question is quite difficult due to the distributed and decentralized nature of the Internet.  We recently wrote about some work Verisign Labs is undertaking to measure validation, but that work is just beginning.

The APNIC Experiment

So we were delighted to see the post, “Counting DNSSEC” and accompanying presentation from Geoff Huston and George Michaelson at APNIC Labs where they dug into this DNSSEC measurement issue in a unique way.  As Geoff writes, they set out to look at these questions:

  • How many zones are DNSSEC signed?
  • How many DNS queries are DNSSEC-validated?
  • How many DNS resolvers are DNSSEC-capable?
  • How many users are using DNSSEC-aware DNS resolvers?

But rapidly concluded that these precise questions were difficult to answer – and so they decided to look a bit more broadly at these questions:

  • What proportion of DNS resolvers are DNSSEC-capable?
  • What proportion of users are using DNSSEC-validating DNS resolvers?
  • Where are these users?

Their measurement technique was to use advertisements in web browsers displayed through an advertising network.  They used a flash-based ad that made multiple DNS requests without user intervention, i.e. the user didn’t have to click on the ad – just the action of displaying the ad triggered the measurements.

They ran the test from September 10-17, 2012, and observed 57,268 unique IP addresses requesting the DNS records. Some of the conclusions were interesting:

  • 4% of DNS resolvers performed DNSSEC validation
  • 9% of end-client systems were using a DNSSEC-validating resolver

Their post goes through all this in great detail and provides a much more thorough explanation than I can do here.

They then went on to look at where the users were coming from and provide charts segmenting their data in multiple different ways.   They summarized all of this in a presentation to the recent RIPE 65 event complete with charts showing the validation by country.  I’d highly recommend you take a look at that presentation as it provides an excellent view into all this data.

As with any survey like this, you can always wonder about the distribution of people seeing the displayed ad. My first thought was that as I browse with Flash disabled by default I would never have triggered their measurement had it been displayed on my screen.  Similarly many mobile devices might not execute Flash, notably Apple devices, and so it would miss those users.

But even with those caveats, this is an excellent piece of work as an attempt to perform some basic measurements.  Geoff notes at the end of the post that they’ll perform another look at DNSSEC deployment in a few months time, and we’re very much looking forward to seeing what difference they’ll measure in that next look.

What Else Can Be Done?

Beyond this work, we are still thinking a great bit about what else can be measured.  For instance, can we as an industry develop:

  • a count of registrars supporting DNSSEC by allowing upload of DS records?
  • a count (or %) of DNS hosting providers providing automated DNSSEC signing?
  • a % of ISPs providing validating name servers?
  • a % of signed second-level domains?

On this last point, there are great examples already out there including the PowerDNS stats for .NL and other domains, the Verisign Labs scoreboard for .COM/.NET/.EDU and the NIST statistics for the US Gov’t and industry, but it would be even better if we could aggregate this information and also obtain that information for other TLDs.

How can we best measure the deployment of DNSSEC?  It’s an interesting question… do you have any thoughts about other methods and mechanisms?


Slides: How The Hidden Secret of TCP/IP Affects Real-time Communications

Recently at Voip2day + ElastixWorld in Madrid 2012, Olle E Johansson gave a great presentation outlining where we are at with telecom and VoIP in 2012 - and where we need to go! Olle is a long-time, passionate and tireless advocate for the open Internet, IPv6, SIP and standards and interoperability. I've known Olle for years via Asterisk-related issues, via the VUC calls and via work on SIP over IPv6.

This presentation (slides available) really hits a number of key points about where we are at now:

In particular I was struck by his slides 24-28 that strike the same theme I've been writing about across multiple blogs, namely the way we are reversing the "open Internet" trend and retreating back inside walled gardens of messaging:

This is what customers wanted to avoid

He goes on to walk through what happened with SIP and how the protocol evolved - and evolved away from interoperability. His conclusion is that we as customers need to take back control, avoid vendor lock-in and demand interoperability.

He also points people over to his "SIP 2012" effort where he is undertaking to compile a list of what really defines "SIP" in 2012, i.e. more than just RFC 3261. (I'll note he's looking for feedback on these ideas.)

All in all an excellent presentation... and yes indeed we all collectively do need to "WAKE UP" and demand better solutions!

If you found this post interesting or useful, please consider either: