Category: BT

Dec 17

BT Releases Results of 2014 DNSSEC Survey

BT-Diamond-IP-2014-DNSSEC-SurveyBT Diamond IP just published the results of their 2014 DNSSEC survey and the report is available for all to download for free.  Back in October, I’d encouraged people to take the survey to help gain an understanding of DNSSEC deployment and BT’s Tim Rooney noted in his post about the survey that this year there was a high amount of participation by people who had already deployed DNSSEC:

Clearly this year’s survey attracted active deployers of DNSSEC, which contrasts sharply with the 2012 survey where less than 25 percent of respondents had already deployed or were actively deploying DNSSEC validation and signing.

In fact, the way I read his tables on page 4 over 60% of respondents had deployed DNSSEC and another 10% were in the process of doing so.  Not exactly representative of the overall industry! (Unfortunately)  Still, though, I think the report provides useful insight into DNSSEC deployment from the point of view of people who have deployed the technology.  (By the way, we did write about the 2012 report back when it came out.)

Tim also relays these highlights of the 2014 report:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

I’ll definitely agree with his last point about reducing complexity and that’s something that I know we and others within the industry continue to champion … any way that we can add more automation or make the user experience simpler will go far to help advance DNSSEC deployment.

I found a number of the other charts quite interesting such as the reasons for NOT deploying DNSSEC as well as those about what software was being used.  All in all I think the report is a useful contribution to the ongoing discussions around DNSSEC.  I’d like to see more of these type of surveys so that we can continue to build out a picture of DNSSEC deployment as well as the challenges that need to be addressed.

Thanks to Tim Rooney and the others at BT Diamond IP for compiling this survey!

 

Nov 27

BT Releases Survey Results on DNSSEC Deployment

BT DNSSEC Survey ResultsYesterday BT’s Diamond IP group released their first DNSSEC Industry Survey Results that resulted from a survey of 120 participants from around the world in October 2012.  The key findings they report in the executive summary include:

  • Only 13 per cent of respondents have deployed DNSSEC signed zones in production and another five per cent are in the process of deployment. Even fewer have configured their caching recursive servers for DNSSEC validation with eight per cent having production deployments and another nine per cent progressing in deployment.
  • Despite modest deployments, nearly two-thirds of respondents agree or strongly agree that DNSSEC can provide organizational benefits and that DNSSEC technology is mature enough to deploy reliably. On the other hand, over half of respondents agreed that DNSSEC provides limited value until more validating resolvers are deployed, highlighting the “chicken and the egg” challenge for DNSSEC deployment.
  • Respondents generally agreed but were a bit unsure about supplementing DNSSEC deployments with hardware security modules (HSMs) with nearly half being neutral and over a third agreeing.
  • Leading obstacles to DNSSEC deployment were complexity of deployment and the inability to demonstrate a strong business case. Training issues and complexity of ongoing DNSSEC management caused concern as well.
  • Because DNSSEC requires knowledge of both DNS and cryptography to some degree, education and training programs may help improve industry awareness of the operation, benefits, and administrative requirements for deploying and maintaining DNSSEC secured resolution.

Most all of which is much inline with what we’ve seen in our own research and in fact the latter two points were precisely why we created the Deploy360 Programms – to get that kind of deployment information and education more widely known so that we can get DNSSEC more widely deployed.

I was particularly interested in the results on page 5 that asked about the value of DNSSEC.  Some of the answers were interesting – and also point to areas in which we as an industry need to provide better information to help people understand the value.  The “Top obstacles to DNSSEC deployment” chart on page 6 also agreed quite well with what we’ve heard from others.

One interesting question I’d not seen asked on other surveys about DNSSEC was about who would be responsible for the company’s DNSSEC implementation (page 8), with an interesting split between the “DNS” and “security” groups, highlighting an additional internal management challenge that may get involved with deploying DNSSEC:

The division makes a good bit of sense in that DNSSEC is something that you could see being in the area of responsibility of either of those groups, depending upon whether the company/organization views it as primarily a DNS issue or a security issue.

There were a number of other interesting charts as well as a section at the end with the demographics behind the survey.

With any survey like this, you do have to consider the source and BT Diamond IP is a vendor of products related to DNS, DNSSEC and IPAM.  Having said that, though, the results are in line with what we’ve seen in other surveys and are a welcome contribution to the ongoing discussion around DNSSEC deployment.  I’d love to see more of these type of surveys coming out with data from other demographics, regions, etc.

Thanks to BT Diamond IP for doing this research and also for making it publicly available without requiring a registration form for access.