DNSSEC, unidentified flying object in the sky over italian Public Administration

Pubblica Amministrazione - valutazione rischi e beneficiQ: “Are you running DNSSEC?”
A: “Pardon, what am I supposed to run?”

Ok, DNNSEC (a set of extensions to DNS documented since 2005 by RFCs 4033, 4034, 4035) is not so widely adopted but it should in order to effectively protect applications from using forged or manipulated DNS data (for example consider DNS cache poisoning threats. I recommend reading a recent Geoff Huston’s article: The Cost of DNSSEC or my italian version “Il costo di DNSSEC“). Nevertheless, a great improvement can be observed in its deployment at ccTLDs’ root servers as you can clearly notice in the animated gif image below according to the following keys [from: http://www.dnssec-deployment.org/2013/09/dnssec-in-cctlds-past-present-and-future-7/]:

Experimental: We have reason to believe the ccTLD is experimenting with DNSSEC.
Announced: The ccTLD has announced that they will support DNSSEC.
Partial Operation: The ccTLD is signed, though possibly doesn’t have its DS in the root or isn’t taking signed delegations.
DS in Root: The ccTLD has placed its DS in the root.
Operational: The ccTLD is signed, its DS is in the root, and it is taking signed delegations.

DNSSEC - ccTLDs adoption map

The Registry of dot it Internet domains planned to put DNSSEC into production in early 2014. Unfortunately, no deployment to date and this is not going to help pushing its adoption by Public Administration’s ICT teams.

Anyway, I would tell the brave that when a registrar (or the Registry) doesn’t support DNSSEC it is possible to use DLV – DNSSEC Look-aside Validation that provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information. It’s a service provided by ISC – Internet Systems Consortium.

Now, to better understand which great effort is needed in order to secure Public Administrations’ domain names with a DNSSEC chain, look at our study findings:

8.381 domain names examined
8.118 .it (291 gov.it)
44 .eu
75 .com
71 .net
51 .org
20 .info
1 .edu
1 .cc

DNS security extensions are deployed just on two of them. Maybe gTLD? Definitely not: they are 2 .it (0.02%).

Further readings on DNSSEC statistics at http://www.internetsociety.org/deploy360/dnssec/statistics/.

Also I would recommend an update report on DNSSEC deployment by Rick Lamb http://rick.eng.br/dnssecstat/ and DNSSEC validation global trend chart by Geoff Huston’s team at APNIC: http://gronggrong.rand.apnic.net/cgi-bin/worldmap

[Raw hostnames from: http://siamogeek.com/analisi-siti-pa/download-dati-analisi-siti-pa/ ]

Creative Commons License
DNSSEC, unidentified flying object in the sky over italian Public Administration by Antonio Prado is licensed under a Creative Commons Attribution-ShareAlike 4.0 International

Leave a Reply