[AusNOG] [::] APNIC DNSSEC Workshop SYDNEY, AUSTRALIA 29-31 July 2013
Geoff Huston
gih903 at gmail.com
Mon Jul 1 16:02:27 EST 2013
On 28/06/2013, at 10:49 AM, Mark Andrews <marka at isc.org> wrote:
>
> Now if we could just get .AU and its delegated subdomains signed one could make good use of that training.
Supply - meet demand, Demand - meet supply.
The story about DNSSEC deployment is as much about the ability of users to perform DNSSEC validation when resolving DNS names as it is about .au domain names being DNSSEC-signed.
We've been doing some measurement of late to see the extent to which users use DNS resolvers that perform DNSSEC signature validation, and the results, are, from an Australian perspective, unimpressive
Right now some 8% of the Internet's user base appears to be using DNSSEC when resolving names.
However, right now some only 2% of Australian users appear to be using DNSSEC when resolving names. Of those, 70% of them do so by virtue of their use of 8.8.8.8 (Google's Public DNS servers that now perform DNSSEC validation), while the rest appear to use local resolvers. Compared to, say, Sweden where 76% of users use DNSSEC validation but only 1.5% of those that do perform this validation rely on Google's services. Or compared to Indonesia, where one quarter of their users (23%) use DNS resolvers that perform DNSSEC validation.
On a country-by country basis that result puts Australia in the lower third, at rank 146 out of 218 country codes in terms of levels of use of DNSSEC validation.
If we could just get some of the larger's ISP's resolver farms to turn on DNSSEC validation we might do a whole lot better, and actually offer our users a service that provides some real improvements in the ability to secure services on the net. This story about DNSSEC deployment is so much more that just leaning on AUDA - lean on your ISP too and ask them when they are going to take DNS security seriously.
Geoff
More information about the AusNOG
mailing list