Category: APNIC

Video: Geoff Huston – what if everyone did DNSSEC? (APNIC 38)

What if everyone enabled DNSSEC?  What would happen to your network? Should you be scared?

The good folks at APNIC are out with a video from Geoff Huston answering these questions:

If you want to get started with DNSSEC so that your domain name can be secure from being impersonated, please visit our Start Here page to find resources targeted for your type of organization.

Help us make the Internet more secure – deploy DNSSEC validation and start signing your domains NOW!

P.S. For a good example of HOW DNSSEC can help protect you, please read our recent article about email hijacking attacks that are going on now – but could be prevented by the use of DNSSEC.

Finally! A DNSSEC Validation Trend Chart – Up And To The Right!

Finally!  What I’ve always wanted for tracking the growth of DNSSEC validation by DNS resolvers is some kind of “trend chart” along the lines of Google’s IPv6 Statistics page that could show the growth in DNSSEC validation.  At the recent ICANN DNSSEC Workshop in London Geoff Huston of APNIC provided to us that exact kind of chart at the URL:

Sure, the URL is not exactly very typing-friendly, but a quick bookmark can solve that (and we’ve added it to our DNSSEC Statistics page to help in that regard).  The chart looks like:

DNSSEC Validation Trend Line


Which shows the nice upward trend.  Geoff’s team includes some other tools so that, for instance, you can set the “average interval” to 7 days and get a much smoother line:

DNSSEC validation weeklyThis is what I intend to start using now to show the growth in DNSSEC validation as we continue to see further deployment happening within networks around the world.

Speaking of geography, Geoff’s site also has a “world map” view showing DNSSEC validation by country at the URL:

Right now, of course, the map shows a whole lot of red for low levels of DNSSEC validation:

DNSSEC Validation world map


Let’s see if we can make that change!  (Deploy DNSSEC-validating resolvers on your network today! :-) )

A cool feature is that below the world map you can get individual trend charts for both various regions and even for individual countries.  It also shows the ranking of countries in terms of DNSSEC validation (click/tap the image to get to the page – and then scroll down to see):



Our colleague Jan Žorž may be pleased to see how high his home of Slovenia is ranking!

All of this is based on the measurements Geoff’s team has been doing using Flash-based advertising using Google’s advertising network, something he explained in a recent talk at the RIPE 68 event.

While obviously the various charts show how far we have to go in getting DNSSEC deployed, at least now we have some solid measurement charts we can use to track the progress!  Many thanks to Geoff and his team for making this site possible.

We’re looking forward to continuing to see the DNSSEC validation chart grow up and to the right!

P.S. If you want to understand how to get started with DNSSEC, please visit our Start Here page to find resources focused on your type of organization.

Video: Geoff Huston on Measuring DNSSEC from the User’s Perspective (RIPE 68)

How do you best measure DNS-related metrics from the perspective of an end user?  How many users are actually using DNSSEC validation?  What countries have the highest level of DNSSEC validation?  What role does Google’s Public DNS play in helping with this?

These are all questions that APNIC’s Geoff Huston addressed in his talk “Measuring DNS from the User’s perspective” at the recent RIPE68 meeting in Warsaw.  His slides are now online with some very interesting charts around DNSSEC validation.  I enjoy listening to Geoff and think you’ll find this quite an interesting talk:


And then… can you set up DNSSEC validation on your own network?  That will help you get the benefit of the added security of DNSSEC in your own usage of the Internet.

Video/Slides – Geoff Huston On Measuring DNSSEC Usage at RIPE67

How many people are actually performing DNSSEC validation on DNS queries? What is the true penetration of DNSSEC usage?  While there are many sites offering DNSSEC statistics about the number of signed domains or TLDs, what kind of measurements can be done on the validation side of DNSSEC?  And what is the performance impact of doing DNSSEC validation?

At the RIPE67 meeting Geoff Huston of APNIC gave an entertaining presentation around these exact questions based on measurements through a system of Flash-based web advertisements he has been using.  His slides are available online and the video presentation runs about 28 minutes:

Geoff Huston speaking

The information is certainly useful and we look forward to future presentations based on these measurements!


APNIC Offering DNSSEC Training In Dhaka, Bangladesh, on November 8, 2013

APNIC logoAre you interested in learning about DNSSEC and live near Dhaka, Bangladesh? (or can get there?) If so, the folks at APNIC are offering a day of DNS/DNSSEC trainingon November 8, 2013. From the abstract:

This course will discuss the concept of DNS Security in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties.

The outline looks quite interesting:

  • DNS concepts
  • Forward and Reverse DNS
  • DNS Security concepts
  • DNS Protocol Vulnerabilities
  • Transaction Signatures (TSIG)
  • DNS security extensions (DNSSEC)
  • Setting up secure zones
  • DNSSEC Key management
  • DNS and IPv6

(I like that bit at the end about “DNS and IPv6″! ;-) )

For more information such as location and fees, as well as the link for registration, please visit the APNIC web page for this class.

APNIC Offering DNSSEC Training in Mongolia April 1-3

APNIC logoWe noticed that our friends over at APNIC are offering DNSSEC training in Ulaanbaatar, Mongolia, from April 1-3 and since, well, we’ve never written anything about Mongolia on this site before, we figured we ought to do so!

The course is APNIC’s DNS/DNSSEC workshop and sounds like an excellent offering.  Given that APNIC was recently tweeting about this event we are assuming there is still space available.

The training session is one in a whole series of training workshops APNIC is offering on topics including DNS/DNSSEC, IPv6, Routing and more.

Given that Mongolia’s .MN TLD is signed with DNSSEC (as shown in the list of signed TLDs), we’re looking forward to seeing more signed .MN domains and more usage of DNSSEC in Mongolia after this workshop!