Understanding the Role of Registrars in DNSSEC Deployment Taejoong - - PowerPoint PPT Presentation

1

Understanding the Role of Registrars in DNSSEC Deployment

Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson

DNSSEC 101

DNS Resolver example.com's Authoritative DNS Server

DNSSEC 101

DNS Resolver example.com's Authoritative DNS Server

DNSSEC 101

DNS Resolver A records w/ DO bit example.com's Authoritative DNS Server

DNSSEC 101

DNS Resolver A records A records w/ DO bit example.com's Authoritative DNS Server

RRSIG

DNSSEC 101

DNS Resolver A records A records w/ DO bit example.com's Authoritative DNS Server

RRSIG

Previous work

DNSSEC deployment is very rare (~1%) but 30% of them tried (but failed to deploy correctly)

DNSSEC 101

DNS Resolver A records A records w/ DO bit example.com's Authoritative DNS Server

RRSIG

Previous work

DNSSEC deployment is very rare (~1%) but 30% of them tried (but failed to deploy correctly)

Why?

DNS Resolver

DNSSEC 101

3

example.com's Authoritative DNS Server

DNS Resolver

DNSSEC 101

3

example.com's Authoritative DNS Server

DNS Resolver

DNSSEC 101

3

A records w/ DO bit example.com's Authoritative DNS Server

DNS Resolver

DNSSEC 101

3

A records A records w/ DO bit example.com's Authoritative DNS Server

RRSIG

DNS Resolver

DNSSEC 101

3

A records A records w/ DO bit DNSKEY example.com's Authoritative DNS Server

RRSIG

DNS Resolver

DNSSEC 101

3

A records A records w/ DO bit DNSKEY example.com's Authoritative DNS Server . (root zone) .com

RRSIG

DNS Resolver DNSKEY

DNSSEC 101

3

A records A records w/ DO bit DNSKEY example.com's Authoritative DNS Server . (root zone) .com

RRSIG

DNS Resolver DNSKEY

DNSSEC 101

3

A records A records w/ DO bit DNSKEY example.com's Authoritative DNS Server . (root zone) .com

RRSIG

DNS Resolver DNSKEY

DNSSEC 101

3

A records A records w/ DO bit DNSKEY DNSKEY example.com's Authoritative DNS Server . (root zone) .com

RRSIG

DNS Resolver DNSKEY

DNSSEC 101

3

A records A records w/ DO bit DNSKEY DNSKEY example.com's Authoritative DNS Server . (root zone) .com

RRSIG

DNS Resolver DNSKEY

DNSSEC 101

3

A records A records w/ DO bit DNSKEY DNSKEY Chain-of-Trust example.com's Authoritative DNS Server . (root zone) .com

RRSIG

DNSSEC 101 Hierarchical Structure

4

DNSKEY Chain-of-Trust DNSKEY DNSKEY

DNSSEC 101 Hierarchical Structure

4

DNSKEY Chain-of-Trust DNSKEY DNSKEY

DNSSEC 101 Hierarchical Structure

4

DNSKEY Chain-of-Trust DNSKEY DNSKEY

DNSSEC 101 Hierarchical Structure

4

DNSKEY Chain-of-Trust DNSKEY

DNSSEC 101 Hierarchical Structure

5

DNSKEY DNSKEY Chain-of-Trust

DNSSEC 101 Hierarchical Structure

5

DNSKEY DNSKEY Chain-of-Trust .com example.com's Authoritative DNS Server

DNSSEC 101 Hierarchical Structure

5

DNSKEY DNSKEY DNSKEY Chain-of-Trust .com example.com's Authoritative DNS Server

DNSSEC 101 Hierarchical Structure

5

DNSKEY DNSKEY DNSKEY Chain-of-Trust


 =Hash( )

DNSKEY

DS Record .com example.com's Authoritative DNS Server

DNSSEC 101 Hierarchical Structure

5

DNSKEY DNSKEY DNSKEY Chain-of-Trust


 =Hash( )

DNSKEY

DS Record .com example.com's Authoritative DNS Server

DNSSEC 101 Hierarchical Structure

5

RRSIG

DS Record DNSKEY DNSKEY DNSKEY Chain-of-Trust


 =Hash( )

DNSKEY

DS Record .com example.com's Authoritative DNS Server

DNSSEC 101 Hierarchical Structure

5

RRSIG

DS Record DNSKEY DNSKEY DNSKEY Chain-of-Trust

~ 30% of domains w/ DNSKEY DO NOT DO THIS!


 =Hash( )

DNSKEY

DS Record .com example.com's Authoritative DNS Server

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Buy example.com

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Buy example.com

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Buy example.com

DS Record

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Buy example.com

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Buy example.com

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Owner Buy example.com

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Owner Buy example.com

DS Record

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Owner Buy example.com

DS Record

Registry, Registrar, and DNS Operator

6

.COM (Verisign) Registry (TLD) GoDaddy Registrar Owner Buy example.com

Registry, Registrar, and DNS Operator

7

.COM (Verisign) GoDaddy Registry (TLD) Registrar Buy example.com

Registry, Registrar, and DNS Operator

7

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) GoDaddy Registry (TLD) Registrar Buy example.com

Registry, Registrar, and DNS Operator

7

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) GoDaddy Registry (TLD) Registrar Buy example.com

DS Record

Registry, Registrar, and DNS Operator

7

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) GoDaddy Registry (TLD) Registrar Buy example.com

DS Record

Registry, Registrar, and DNS Operator

7

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) GoDaddy Registry (TLD) Registrar Buy example.com

DS Record

Registry, Registrar, and DNS Operator

7

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) GoDaddy Registry (TLD) Registrar Buy example.com

Registry, Registrar, and DNS Operator

8

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) GoDaddy Registry (TLD) Registrar Buy example.com

Registry, Registrar, and DNS Operator

8

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) GoDaddy Registry (TLD) Registrar

Registry, Registrar, Reseller, and DNS Operator

9

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) ASCIO Registry (TLD) Registrar Buy example.com Antagonist Reseller

Registry, Registrar, Reseller, and DNS Operator

9

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) ASCIO Registry (TLD) Registrar Buy example.com Antagonist Reseller

DS Record

Registry, Registrar, Reseller, and DNS Operator

9

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) ASCIO Registry (TLD) Registrar Buy example.com Antagonist Reseller

DS Record

Registry, Registrar, Reseller, and DNS Operator

9

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) ASCIO Registry (TLD) Registrar Buy example.com Antagonist Reseller

DS Record

Registry, Registrar, Reseller, and DNS Operator

9

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) ASCIO Registry (TLD) Registrar Buy example.com Antagonist Reseller

DS Record

Registry, Registrar, Reseller, and DNS Operator

9

Delegate CloudFlare Third-Party DNS Operator .COM (Verisign) ASCIO Registry (TLD) Registrar Buy example.com Antagonist Reseller

Anecdotal Examples

10

Experiment Result

Anecdotal Examples

10

We saw the DNSKEY deployed (but not DS records) so asked why you don’t upload DS records. Experiment Result

Anecdotal Examples

10

We saw the DNSKEY deployed (but not DS records) so asked why you don’t upload DS records. [1] They removed a DNSSEC menu Experiment Result

Anecdotal Examples

10

We saw the DNSKEY deployed (but not DS records) so asked why you don’t upload DS records. [1] They removed a DNSSEC menu Experiment Result [2] “Most people do not understand DNS, so imagine the white faces when I mention DNSSEC”

Anecdotal Examples

10

We saw the DNSKEY deployed (but not DS records) so asked why you don’t upload DS records. [1] They removed a DNSSEC menu We asked a registrar to upload a DS record by email from the different email address than the one that registered Experiment Result [2] “Most people do not understand DNS, so imagine the white faces when I mention DNSSEC”

Anecdotal Examples

10

We saw the DNSKEY deployed (but not DS records) so asked why you don’t upload DS records. [1] They removed a DNSSEC menu We asked a registrar to upload a DS record by email from the different email address than the one that registered It was installed successfully Experiment Result [2] “Most people do not understand DNS, so imagine the white faces when I mention DNSSEC”

Anecdotal Examples

10

We saw the DNSKEY deployed (but not DS records) so asked why you don’t upload DS records. [1] They removed a DNSSEC menu We asked a registrar to upload a DS record to our domain via web live chat We asked a registrar to upload a DS record by email from the different email address than the one that registered It was installed successfully Experiment Result [2] “Most people do not understand DNS, so imagine the white faces when I mention DNSSEC”

Anecdotal Examples

10

We saw the DNSKEY deployed (but not DS records) so asked why you don’t upload DS records. [1] They removed a DNSSEC menu We asked a registrar to upload a DS record to our domain via web live chat It was installed on someone else’s domain due to a mistake by the customer service agent We asked a registrar to upload a DS record by email from the different email address than the one that registered It was installed successfully Experiment Result [2] “Most people do not understand DNS, so imagine the white faces when I mention DNSSEC”

Details of the Last Example

11

Details of the Last Example

11

3:45:32 PM tijay hg-dnssec.com 3600 IN DS 2371 13 2 129f34c04ac58ece5218b9894148304a736a63757f58ff0cddd9b8df4989

Details of the Last Example

11

3:45:32 PM tijay hg-dnssec.com 3600 IN DS 2371 13 2 129f34c04ac58ece5218b9894148304a736a63757f58ff0cddd9b8df4989 3:56:05 PM Jeniffer S Awesome! one moment

Details of the Last Example

11

3:45:32 PM tijay hg-dnssec.com 3600 IN DS 2371 13 2 129f34c04ac58ece5218b9894148304a736a63757f58ff0cddd9b8df4989 3:56:09 PM Jeniffer S I have now save the request information! Manage DNSSEC paananenmusic.com Record added

• successfully. It can take 4-8 hours for DNS to propagate

3:56:05 PM Jeniffer S Awesome! one moment

Details of the Last Example

11

3:45:32 PM tijay hg-dnssec.com 3600 IN DS 2371 13 2 129f34c04ac58ece5218b9894148304a736a63757f58ff0cddd9b8df4989 3:56:09 PM Jeniffer S I have now save the request information! Manage DNSSEC paananenmusic.com Record added

• successfully. It can take 4-8 hours for DNS to propagate

3:57:19 PM tijay paananenmusic.com? 3:57:28 PM tijay my domain is hg-dnssec.com? 3:56:05 PM Jeniffer S Awesome! one moment

Details of the Last Example

11

3:45:32 PM tijay hg-dnssec.com 3600 IN DS 2371 13 2 129f34c04ac58ece5218b9894148304a736a63757f58ff0cddd9b8df4989 3:56:09 PM Jeniffer S I have now save the request information! Manage DNSSEC paananenmusic.com Record added

• successfully. It can take 4-8 hours for DNS to propagate

3:57:19 PM tijay paananenmusic.com? 3:57:28 PM tijay my domain is hg-dnssec.com? 3:58:41 PM Jeniffer S I apologize, you are right, silly me,

• ne moment

3:56:05 PM Jeniffer S Awesome! one moment

Open Question

Open Question

Why is so hard to deploy DNSSEC?

Open Question

Why is so hard to deploy DNSSEC? How does registrar policy impact the deployment?

? ?

Outline

Why is so hard to deploy DNSSEC?

Outline

Why is so hard to deploy DNSSEC?

Popular registrar with lots of (1) domains and (2) DNSSEC-enabled domains

Checking Registrar’s DNSSEC Policy

14

Registrar DNS Operator Registrar Supports DNSSEC?

Checking Registrar’s DNSSEC Policy

14

Registrar DNS Operator Registrar Supports DNSSEC? Owner DNS Operator Registrar Supports DS upload?

Checking Registrar’s DNSSEC Policy

14

Registrar DNS Operator Registrar Supports DNSSEC? Owner DNS Operator Registrar Supports DS upload? Registrar Validates DS record?

Popular Registrar’s DNSSEC Policy

15

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record?

Popular Registrar’s DNSSEC Policy

15

Registrar

GoDaddy (domaincontrol.com) NameCheap (registrar-servers.com) OVH (ovh.net) HostGator (hostgator.com) Amazon (aws-dns) Google (googledomains.com) 123-reg (123-reg.co.uk) RightSide (name.com) eNom (name-services.com) NameBright (namebrightdns.com) DreamHost (dreamhost.com) The others (10 registrars)

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record?

Popular Registrar’s DNSSEC Policy

15

Registrar

GoDaddy (domaincontrol.com) NameCheap (registrar-servers.com) OVH (ovh.net) HostGator (hostgator.com) Amazon (aws-dns) Google (googledomains.com) 123-reg (123-reg.co.uk) RightSide (name.com) eNom (name-services.com) NameBright (namebrightdns.com) DreamHost (dreamhost.com) The others (10 registrars)

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record?

Popular Registrar’s DNSSEC Policy

15

Registrar

GoDaddy (domaincontrol.com) NameCheap (registrar-servers.com) OVH (ovh.net) HostGator (hostgator.com) Amazon (aws-dns) Google (googledomains.com) 123-reg (123-reg.co.uk) RightSide (name.com) eNom (name-services.com) NameBright (namebrightdns.com) DreamHost (dreamhost.com) The others (10 registrars)

Registrar DNS Operator

Some nameservers don’t support DNSSEC Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 2.5/20

Popular Registrar’s DNSSEC Policy

16

Owner DNS Operator DS Upload Web Email

— — — — — — — —

Registrar

GoDaddy (domaincontrol.com) NameCheap (registrar-servers.com) OVH (ovh.net) HostGator (hostgator.com) Amazon (aws-dns) Google (googledomains.com) 123-reg (123-reg.co.uk) RightSide (name.com) eNom (name-services.com) NameBright (namebrightdns.com) DreamHost (dreamhost.com) The others (10 registrars)

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 2.5/20 11/20

Popular Registrar’s DNSSEC Policy

17

DS Validation Registrar

GoDaddy (domaincontrol.com) NameCheap (registrar-servers.com) OVH (ovh.net) HostGator (hostgator.com) Amazon (aws-dns) Google (googledomains.com) 123-reg (123-reg.co.uk) RightSide (name.com) eNom (name-services.com) NameBright (namebrightdns.com) DreamHost (dreamhost.com) The others (10 registrars) Owner DNS Operator DS Upload Web Email

— — — — — — — —

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 2/20 2.5/20 11/20

Popular Registrar

18

DNS Operator # of Registrar Support DNSSEC? Registrar 2.5/20 Owner 11/20 Check DS Validation Owner 2/11

Registrar DNSSEC Support for popular registrars is quite poor

Each registrar has different policy for supporting DNSSEC.

Popular DNSSEC Support Registrars

19

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record?

Registrar

OVH (ovh.net) Loopia (loopia.se) DomainNameShop (hyp.net) TransIP (transip.net) MeshDigital (domainmonster.com) OVH (anycast.me) TransIP (transip.nl) Binero (binero.se) KPN (is.nl) PCExtreme (pcextreme.nl) Antagonist (webhostingserver.nl) NameCheap (registrar-servers.com)

Registrar DNS Operator

20

Registrar DNS Operator

DNSSEC Default Publish DS Records?

Registrar

OVH (ovh.net) Loopia (loopia.se) DomainNameShop (hyp.net) TransIP (transip.net) MeshDigital (domainmonster.com) OVH (anycast.me) TransIP (transip.nl) Binero (binero.se) KPN (is.nl) PCExtreme (pcextreme.nl) Antagonist (webhostingserver.nl) NameCheap (registrar-servers.com)

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 10/12 Selective support

Owner DNS Operator

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 10/12

Registrar

OVH (ovh.net) Loopia (loopia.se) DomainNameShop (hyp.net) TransIP (transip.net) MeshDigital (domainmonster.com) OVH (anycast.me) TransIP (transip.nl) Binero (binero.se) KPN (is.nl) PCExtreme (pcextreme.nl) Antagonist (webhostingserver.nl) NameCheap (registrar-servers.com)

Owner DNS Operator

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 10/12

Owner DNS Operator

DS Upload

10/12

Registrar

OVH (ovh.net) Loopia (loopia.se) DomainNameShop (hyp.net) TransIP (transip.net) MeshDigital (domainmonster.com) OVH (anycast.me) TransIP (transip.nl) Binero (binero.se) KPN (is.nl) PCExtreme (pcextreme.nl) Antagonist (webhostingserver.nl) NameCheap (registrar-servers.com)

DS Validation

22

DS Validation

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 10/12 10/12 2/12

— — Registrar

OVH (ovh.net) Loopia (loopia.se) DomainNameShop (hyp.net) TransIP (transip.net) MeshDigital (domainmonster.com) OVH (anycast.me) TransIP (transip.nl) Binero (binero.se) KPN (is.nl) PCExtreme (pcextreme.nl) Antagonist (webhostingserver.nl) NameCheap (registrar-servers.com)

Fetches a DNSKEY from the nameserver

Owner DNS Operator

DS Upload

Other Security Issues

23

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 10/12 10/12 2/12

Registrar

OVH (ovh.net) Loopia (loopia.se) DomainNameShop (hyp.net) TransIP (transip.net) MeshDigital (domainmonster.com) OVH (anycast.me) TransIP (transip.nl) Binero (binero.se) KPN (is.nl) PCExtreme (pcextreme.nl) Antagonist (webhostingserver.nl) NameCheap (registrar-servers.com) DS Validation

Owner DNS Operator

DS Upload DS Upload Web Email

— — — — — — — —

Other Security Issues

23

Registrar Supports DNSSEC? Registrar Supports DS upload? Registrar Validates DS record? 10/12 10/12 2/12

Registrar

OVH (ovh.net) Loopia (loopia.se) DomainNameShop (hyp.net) TransIP (transip.net) MeshDigital (domainmonster.com) OVH (anycast.me) TransIP (transip.nl) Binero (binero.se) KPN (is.nl) PCExtreme (pcextreme.nl) Antagonist (webhostingserver.nl) NameCheap (registrar-servers.com) DS Validation

Owner DNS Operator

DS Upload DS Upload Web Email

— — — — — — — —

Outline

Why is DNSSEC deployment so rare? How does a registrar policy impact the deployment?

? ?

Outline

Why is DNSSEC deployment so rare? How does a registrar policy impact the deployment?

? ? We need historical dataset

Dataset

25

TLD Measurement Period (Daily Scan) Domains Total

Percent w/ DNSKEY

.com 2015/03/01 ~ 2016/12/31 118,147,199 0.7% .net 2015/03/01 ~ 2016/12/31 13,773,903 1.0% .org 2015/03/01 ~ 2016/12/31 9,682,750 1.1% .nl 2016/02/09 ~ 2016/12/31 5,674,208 51.6% .se 2016-06-07 ~ 2016/12/31 1,388,372 46.7%

Dataset

25

TLD Measurement Period (Daily Scan) Domains Total

Percent w/ DNSKEY

.com 2015/03/01 ~ 2016/12/31 118,147,199 0.7% .net 2015/03/01 ~ 2016/12/31 13,773,903 1.0% .org 2015/03/01 ~ 2016/12/31 9,682,750 1.1% .nl 2016/02/09 ~ 2016/12/31 5,674,208 51.6% .se 2016-06-07 ~ 2016/12/31 1,388,372 46.7%

Over 750 billion DNS Records

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Loopia (*.loopia.se) Percent of domains with DNSKEY and DS record Date .com .net .org .se .nl 20 40 60 80 100 KPN (*.is.nl) .com .net .org .se .nl

[1] Registry: Financial Incentive

26

KPN

.nl measurement begins here .se measurement begins here

Loopia

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Loopia (*.loopia.se) Percent of domains with DNSKEY and DS record Date .com .net .org .se .nl 20 40 60 80 100 KPN (*.is.nl) .com .net .org .se .nl

[1] Registry: Financial Incentive

26

KPN

.nl measurement begins here .se measurement begins here

Loopia

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Loopia (*.loopia.se) Percent of domains with DNSKEY and DS record Date .com .net .org .se .nl 20 40 60 80 100 KPN (*.is.nl) .com .net .org .se .nl

[1] Registry: Financial Incentive

26

KPN

.nl measurement begins here .se measurement begins here

Loopia

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Loopia (*.loopia.se) Percent of domains with DNSKEY and DS record Date .com .net .org .se .nl 20 40 60 80 100 KPN (*.is.nl) .com .net .org .se .nl

[1] Registry: Financial Incentive

26

KPN

.nl measurement begins here .se measurement begins here

Loopia

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Loopia (*.loopia.se) Percent of domains with DNSKEY and DS record Date .com .net .org .se .nl 20 40 60 80 100 KPN (*.is.nl) .com .net .org .se .nl

[1] Registry: Financial Incentive

26

KPN

.nl measurement begins here .se measurement begins here

Loopia

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Loopia (*.loopia.se) Percent of domains with DNSKEY and DS record Date .com .net .org .se .nl 20 40 60 80 100 KPN (*.is.nl) .com .net .org .se .nl

[1] Registry: Financial Incentive

26

KPN

Financial Incentive

Financial gain is a huge incentive 
 for deploying DNSSEC

.nl measurement begins here .se measurement begins here

Loopia

[2] Registrar: Free vs. Paid

27

5 10 15 20 25 30 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS record Date OVH GoDaddy

[2] Registrar: Free vs. Paid

27

5 10 15 20 25 30 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS record Date OVH GoDaddy

[2] Registrar: Free vs. Paid

27

5 10 15 20 25 30 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS record Date OVH GoDaddy

[2] Registrar: Free vs. Paid

27

5 10 15 20 25 30 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS record Date OVH GoDaddy

Free vs. Paid

Free DNSSEC support encourages 
 users to deploy DNSSEC

28

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS and DNSKEY record Date .com .net .org .nl 10000 20000 30000 40000 50000 60000 70000 # of domains .com .net .org .nl

[3] Reseller (.com, .org, .net)

• vs. Registrar (.nl)

28

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS and DNSKEY record Date .com .net .org .nl 10000 20000 30000 40000 50000 60000 70000 # of domains .com .net .org .nl

[3] Reseller (.com, .org, .net)

• vs. Registrar (.nl)

28

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS and DNSKEY record Date .com .net .org .nl 10000 20000 30000 40000 50000 60000 70000 # of domains .com .net .org .nl

[3] Reseller (.com, .org, .net)

• vs. Registrar (.nl)

28

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS and DNSKEY record Date .com .net .org .nl 10000 20000 30000 40000 50000 60000 70000 # of domains .com .net .org .nl

[3] Reseller (.com, .org, .net)

• vs. Registrar (.nl)

28

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS and DNSKEY record Date .com .net .org .nl 10000 20000 30000 40000 50000 60000 70000 # of domains .com .net .org .nl

12/14

Changed their registrar to

• ne that supports DNSSEC

[3] Reseller (.com, .org, .net)

• vs. Registrar (.nl)

28

20 40 60 80 100 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Percent of domains with DS and DNSKEY record Date .com .net .org .nl 10000 20000 30000 40000 50000 60000 70000 # of domains .com .net .org .nl

Registrar

• vs. Reseller

Complex relationship between reseller and registrar also result in slow deployment of DNSSEC

12/14

Changed their registrar to

• ne that supports DNSSEC

[3] Reseller (.com, .org, .net)

• vs. Registrar (.nl)

DNS Operator

Third-Party

[4] Third-Party DNS Operator

29 29

Verisign Antagonist ASCIO Registry Registrar Reseller CloudFlare Owner Third-Party

DS Record DS Record DS Record DS Record DS Record

0.2 0.4 0.6 0.8 1 1.2 02/16 05/16 08/16 11/16 Percent of domains with DNSKEY record Date 20 40 60 80 100 Percent of domains with DNSKEY that has DS record

[4] Third-Party DNS Operator <Cloudflare>

30 30 DS DNSKEY DNSKEY

0.2 0.4 0.6 0.8 1 1.2 02/16 05/16 08/16 11/16 Percent of domains with DNSKEY record Date 20 40 60 80 100 Percent of domains with DNSKEY that has DS record

[4] Third-Party DNS Operator <Cloudflare>

30 30 DS DNSKEY DNSKEY

Cloudflare announced
 universal DNSSEC

0.2 0.4 0.6 0.8 1 1.2 02/16 05/16 08/16 11/16 Percent of domains with DNSKEY record Date 20 40 60 80 100 Percent of domains with DNSKEY that has DS record

[4] Third-Party DNS Operator <Cloudflare>

30 30 DS DNSKEY DNSKEY

Cloudflare announced
 universal DNSSEC

0.2 0.4 0.6 0.8 1 1.2 02/16 05/16 08/16 11/16 Percent of domains with DNSKEY record Date 20 40 60 80 100 Percent of domains with DNSKEY that has DS record

[4] Third-Party DNS Operator <Cloudflare>

30 30 DS DNSKEY DNSKEY

Cloudflare announced
 universal DNSSEC

0.2 0.4 0.6 0.8 1 1.2 02/16 05/16 08/16 11/16 Percent of domains with DNSKEY record Date 20 40 60 80 100 Percent of domains with DNSKEY that has DS record

[4] Third-Party DNS Operator <Cloudflare>

30 30 DS DNSKEY

Third-party DNS Operator

Deploying DNSSEC is even harder for users using third-party DNS Operators

DNSKEY

Cloudflare announced
 universal DNSSEC

Conclusion

31

Conclusion

• Registrars play a critical role in supporting DNSSEC today
• Only 3 out of 20 registrars support DNSSEC on their

authoritative nameservers

• Only 11 out of 20 registrars support uploading a custom DS

record

31

Conclusion

• Registrars play a critical role in supporting DNSSEC today
• Only 3 out of 20 registrars support DNSSEC on their

authoritative nameservers

• Only 11 out of 20 registrars support uploading a custom DS

record

31

• DNSSEC deployment depends on many policies
• Registrar: Free
• Registry: Financial incentive
• Reseller: Beware to choose a partner (i.e., registrar)
• Third-party: CDS/CDNSKEY

Thanks!

32

http://SecurePKI.org

Taejoong Chung http://tijay.me