Measurement survey of server-side DNSSEC adoption

Abstract

This paper answers the question how far DNSSEC signing has found adoption in practice. By applying zone enumeration techniques on all top-level domains we gather the number of 6.4 million signed second-level domains. This figure is a complete snapshot of the DNSSEC ecosystem as of January 2017. The adoption concentrates among a small number of top-level domains, some of them having half of their domains signed with DNSSEC, while most top-level domains have adoption ratios of 1%, or less. The majority of top-level domains use NSEC3 hashing to thwart zone enumeration, but GPU-based zone enumeration allows us to recover 79% of cleartext domain names. Most second-level domains use RSA as signing algorithm with a combination of 2048-bit and 1024-bit keys, but 512-bit keys are also common despite being demonstrably insecure. ECDSA adoption has grown to 8% within the last two years. 0.45% of domains are not signed correctly and fail to validate. However, there are fewer domains failing due to DNSSEC errors than due to other misconfigurations or network problems.