Paper Overview

The Domain Name System (DNS) provides a scalable, flexible name resolution service. Unfortunately, its unauthenticated architecture has proven to be the vector for many security attacks. To address this, DNS Security Extensions (DNSSEC) were introduced in 1997. To deploy, DNSSEC requires support from the top-level domain (TLD) registries and registrars, as well as participation by the organization that serves as the DNS operator. Unfortunately, DNSSEC has seen poor deployment thus far: despite being proposed nearly two decades ago, only 1% of .com, .org, and .net domains are properly signed.
In this paper, we investigate the underlying reasons why DNSSEC adoption has been remarkably slow. We focus on registrars, as most TLD registries already support DNSSEC and registrars often serve as DNS operators for their customers. Our study not only leverages large-scale, longitudinal DNS measurements, but also the first systematic study of the entire domain registration process from the customer's perspective, by purchasing domains from leading domain name registrars and resellers. Overall, we find that a select few registrars are responsible for the (small) DNSSEC deployment today, and that many leading registrars do not support DNSSEC at all, or require customers to take cumbersome steps to deploy DNSSEC. Further frustrating deployment, many of the mechanisms for conveying DNSSEC information to registrars are error-prone or present security vulnerabilities. Finally, we find that using DNSSEC with third-party DNS operators such as Cloudflare requires additional steps that 40% of domain owners do not complete. Having identified several operational challenges for full DNSSEC deployment, we make recommendations to improve adoption.

This paper will be published at IMC'2017 (Internet Measurement Conference) and you can download our paper here

DNSSEC Supports by Popular Registrars

Many registrars offer customers two options when purchasing a domain:

1. (1) the customer can ask the registrar to serve as the authoritative nameserver (i.e., the registrar is the DNS operator)
2. (2) the customer can run their own authoritative nameserver for its new domain (i.e., the owner is the DNS operator)

In the former case, the authoritative nameserver for the domain will be listed as one in the registrar's domain, and the registrar usually provides the customer with a web-based interface where they can modify the contents of their domain. For example, if a customer purchased example.com from Bluehost and chose registrar hosting, the NS record for example.com would be a machine in the bluehost.com domain. For domains that support DNSSEC, the responsibility for maintaining DNSSEC records (e.g., DNSKEYs, RRSIGs, DS records) falls on the DNS operator. If this is the registrar, and if the registrar supports DNSSEC and manages DNSSEC correctly, it is the registrar who will generate DNSKEYs and RRSIGs for DNS records. If this is the owner, the owner must generate and maintain all DNSSEC records.

The below Table shows 20 registrars among the top 31 DNS operators that cover 54.3% of .com, .net, and .org domains in the TLD zone files. (we do not study the domain parking services further as they are not registrars) and survey of how they support DNSSEC.

Dataset

Our dataset consists of

1. TLD zone files
2. Zone (Authoritative Server) scans

Contact