At the recent 22nd USENIX Security Symposium in Washington, DC, a paper was presented that is now available for download: Measuring the Practical Impact of DNSSEC Deployment, written by several researchers from the University of California along with security researcher Eric Rescorla. Their work was to explore the cost vs benefit of deploying DNSSEC. As they note in their abstract:
We have performed a large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients. Our findings corroborate those of previous researchers in showing that a relatively small fraction of users are protected by DNSSEC-validating resolvers. And we show, for the first time, that enabling DNSSEC measurably increases end-to-end resolution failures. For every 10 clients that are protected from DNS tampering when a domain deploys DNSSEC, approximately one ordinary client (primarily in Asia) becomes unable to access the domain.
They go on to provide a background of DNS and DNSSEC, explain their methodology and systems and then outline their results. To perform their tests, they used web-based ads in what seems like a method similar to what Geoff Huston and George Michaelson have been doing at APNIC. (I have not specifically compared the two methodologies, but both are using web-based ads.)
The paper reaches several interesting conclusions. First, they found that DNSSEC validation was performed by about 2.6% of users out there. Second, they found that about 1% of clients failed to retrieve a validly DNSSEC-signed resource – and that this was primarily from clients in the Asia Pacific region and was related to DNS resolution falling back to TCP to accommodate larger packet sizes.
The full document is definitely worth a read as there is a wealth of information and also links out to other studies and surveys. They also include some good cautions in there for people undertaking similar advertising-based studies.
My one question about the study was when the measurements were taken and whether it was before or after Google enabled DNSSEC validation on their Public DNS servers back in May. I couldn’t find the timeframe in the study, but that could be important, as Geoff Huston’s latest measurements showed a jump in DNSSEC validation from 3.3% to 8.1% after Google made their change.
Regardless, it’s great to see these kind of studies out there and I look forward to reading any further research the team may perform in this area.
