PING
Calling time on DNSSEC: Part 1 of 2
In his regular monthly spot on PING, APNIC’s Chief Scientist Geoff Huston discusses DNSSEC and it's apparent failure to deploy at scale in the market after 30 years: Both as the state of signed zone uptake (the supply side) and the low levels of verification seen by DNS client users (the consumption side) there is a strong signal DNSSEC isn't making way, compared to the uptake of TLS which is now ubiquitous in connecting to websites. Geoff can see this by measurement of client DNSSEC use in the APNIC Labs measurement system, and from tests of the DNS behind the Tranco top website rankings.
This is both a problem (the market failure of a trust model in the DNS is a pretty big deal!) and an opportunity (what can we do, to make DNSSEC or some replacement viable) which Geoff explores in the first of two parts.
A classic "cliffhanger" conversation about the problem side of things will be followed in due course by a second episode which offers some hope for the future. In the meantime here's the first part, discussing the scale of the problem.
Read more about DNSSEC and TLS on the APNIC Labs website and the APNIC Blog:
- Calling time on DNSSEC (Geoff Huston, APNIC Blog June 2024)
- "Keytrap" attacks on DNSSEC (Geoff Huston, APNIC Blog June 2024)
- DNS topics at RIPE88 (Geoff Huston, APNIC Blog June 2024)
- The Tranco top website Rankings
- DNSSEC validation client usage (APNIC Labs)
- DNSSEC enabled domains from Cloudflare public DNS (APNIC Labs)