Transcript Measuring DNSSEC Use We want to measure the extent to which DNSSEC is actually being used in today’s Internet by DNS resolvers,

Measuring DNSSEC Use
We want to measure the extent to which DNSSEC is actually being used in
today’s Internet by DNS resolvers, and the extent to which end host systems
have their DNS queries validated with DNSSEC
• We used the Online Advertisement systems to enlist users all over the
Internet to test the DNSSEC validation capabilities of their DNS resolvers
• The code embedded in the ad fetches a unique (non-cacheable) object
from a DNSSEC enabled domain name
• We match the DNS resolution records with the web fetch records to see if
DNSSEC validation took place as part of DNS name resolution
These results reported here are generated from running the ad for 7 days in
September 2012
• The DNSSEC test was executed by 770,934 host systems from 11,862 AS’s
and 207 countries.
• These hosts use 57,268 distinct DNS resolvers from 10,050 AS’s and 207
country codes
George Michaelson, Geoff Huston, APNIC
http://labs.apnic.net
DNSSEC Use in Resolvers and Clients
• Of the 57,268 DNS resolvers some 2,316 query DNSSEC
RRs
– 4.0% of resolvers perform DNSSEC validation
• To see if there was a difference between edge and
infrastructure DNS resolvers we filtered out all resolvers
with 2 or less clients. We are left with 16,822 resolvers,
of which 1,180 perform DNSSEC validation
– 7.0% of infrastructure resolvers perform DNSSEC validation
• Of those 770,934 end hosts who executed the ad’s test,
69,560 use DNSSEC-capable resolvers
– 9.0% of end hosts use DNSSEC-validating DNS resolvers
– These DNSSEC users are not uniformly distributed across the
Internet...
Where are these DNSSEC users?
Countries
% who CC
use
DNSSEC
73.33%
62.74%
56.69%
53.95%
53.79%
49.93%
46.41%
46.21%
43.38%
43.12%
42.01%
41.22%
40.74%
40.13%
37.60%
34.82%
34.31%
32.33%
29.75%
29.11%
29.00%
28.97%
28.50%
28.12%
26.10%
25.62%
LY
SE
CZ
SI
PS
AZ
DJ
DZ
ZM
LU
BN
IE
AO
NI
FI
TR
GU
KG
VN
CL
DM
BY
UG
ZA
ID
JM
sample client counts
DNSSEC
Total
242
820
1331
839
568
760
84
1510
154
138
92
807
66
61
141
1793
47
43
1003
845
163
352
181
737
3633
154
330
1307
2348
1555
1056
1522
181
3268
355
320
219
1958
162
152
375
5150
137
133
3371
2903
562
1215
635
2621
13921
601
Libya
Sweden
Czech Republic
Slovenia
Occupied Palestinian Territory
Azerbaijan
Djibouti
Algeria
Zambia
Luxembourg
Brunei Darussalam
Ireland
Angola
Nicaragua
Finland
Turkey
Guam
Kyrgyzstan
Vietnam
Chile
Dominica
Belarus
Uganda
South Africa
Indonesia
Jamaica
Countries > 100 sample points
AS’s
% who ASN
use
DNSSEC
sample client counts
DNSSEC
Total
100.00% 44143
67
67
99.18% 31343 121 122
98.65% 198471
73
74
98.37% 44034 121 123
97.53% 12849
79
81
96.96%
7657 575 593
96.88% 12912 186 192
96.54% 48161 335 347
96.15% 22047 800 832
95.74% 34779 292 305
95.00%
8473
57
60
95.00% 29562 228 240
94.37% 20776
67
71
93.84%
5713 533 568
93.54%
5603 478 511
93.01% 38511 133 143
92.98%
8767
53
57
91.93% 34170 205 223
91.61%
5610 732 799
91.60%
1759 229 250
91.30%
4704
63
69
91.24%
5466 781 856
90.32% 39725
56
62
90.08%
7922 4578 5082
90.00% 29518
63
70
89.33%
3301 268 300
RS VIPMOBILE-AS Vip mobile d.o.o., Serbia
UA INTERTELECOM Intertelecom Ltd, Ukraine
IT , Italy
SE HI3G Hi3G Access AB, Sweden
IL HOTNET-IL Hot-Net internet services Ltd., Israe
NZ VODAFONE-NZ-NGN-AS Vodafone NZ Ltd., New Zealan
PL ERA Polska Telefonia Cyfrowa S.A., Poland
RO NG-AS SC NextGen Communications SRL, Romania
CL VTR BANDA ANCHA S.A., Chile
SI T-2-AS AS set propagated by T-2, Slovenia
SE BAHNHOF Bahnhof Internet AB, Sweden
DE KABELBW-ASN Kabel BW GmbH, Germany
FR OUTREMER-AS Outremer Telecom, France
ZA SAIX-NET, South Africa
SI SIOL-NET Telekom Slovenije d.d., Slovenia
ID TACHYON-AS-ID PT Remala Abadi, Indonesia
DE MNET-AS M-net AS, Germany
AZ AZTELEKOM Azerbaijan Tele, Azerbaijan
CZ TO2-CZECH-REPUBLIC Telefonica, Czech Republic
EU TSF-IP-CORE TeliaSonera, Finland
JP SANNET SANYO IT, Japan
IE EIRCOM Eircom Limited, Ireland
KZ DTVKZ-AS Digital TV, LLP, Kazakhstan
US COMCAST-7922 – Comcast, USA
SE BREDBAND2 Bredband2 AB, Sweden
SE TELIANET-SWEDEN TeliaSonera AB, Sweden
AS’s > 50 sample points
Where aren’t these DNSSEC users?
AS’s
Countries
% who CC
use
DNSSEC
2.63%
2.52%
2.49%
2.45%
2.42%
2.36%
2.33%
2.30%
2.30%
2.18%
2.15%
2.11%
2.08%
2.03%
1.89%
1.86%
1.72%
1.70%
1.56%
1.56%
1.56%
1.46%
0.79%
0.69%
0.51%
0.47%
sample client counts
DNSSEC
Total
LK 115 4372
CR
6
238
UY
27 1084
GE
36 1472
BW
9
372
JO
50 2118
SA 376 16169
HR 117 5077
FR 336 14625
AT 177 8113
ES 176 8168
AN
3
142
OM
36 1732
CY 165 8137
KR 1469 77571
MU
16
859
GR 562 32649
KW
40 2359
MO
11
706
SV
7
450
TT
7
450
DO
20 1369
AE 114 14374
MX
43 6274
QA
37 7263
MN
1
212
Sri Lanka
Costa Rica
Uruguay
Georgia
Botswana
Jordan
Saudi Arabia
Croatia
France
Austria
Spain
Netherlands Antilles
Oman
Cyprus
Republic of Korea
Mauritius
Greece
Kuwait
Macao
El Salvador
Trinidad and Tobago
Dominican Republic
United Arab Emirates
Mexico
Qatar
Mongolia
Countries > 100 sample points
% who ASN
use
DNSSEC
sample client counts
DNSSEC
Total
0.02%
8151
1 4325
0.09% 55740
1 1133
- CDMA DIVISION, India
0.12% 20001
1 818
0.15% 12271
1 658
of America
0.21% 29247
1 467
0.00% 13999
0 447
0.23% 13046
1 442
0.00% 35736
0 441
0.23% 17839
1 436
0.00% 12357
0 411
0.00% 23693
0 361
0.29%
5645
1 345
0.00% 37069
0 336
0.00% 16586
0 334
0.00% 11427
0 330
0.31% 55441
1 321
0.00% 39603
0 312
0.00% 11351
0 303
0.34%
9617
1 293
0.00% 47377
0 283
0.36% 17849
1 276
0.00% 132165
0 275
0.37% 55831
1 273
0.00%
9845
0 269
0.00% 28548
0 269
0.00%
9689
0 265
+ 232 more!
MX Uninet S.A. de C.V., Mexico
IN TATAINDICOM-IN TATA TELESERVICES LTD - TATA INDICOM
US ROADRUNNER-WEST - Road Runner HoldCo LLC, USA
US SCRR-12271 - Road Runner HoldCo LLC, United States
GR
MX
HR
GB
KR
ES
ID
CA
EG
US
US
IN
PL
US
JP
BE
KR
PK
IN
KR
MX
KR
COSMOTE-GR Cosmote Mobile, Greece
Mega Cable, S.A. de C.V., Mexico
ISKON INTERNET d.d. telekomunikacije, Croatia
WUK-AS ORANGE HOME UK PLC, UK
DREAMPLUS-AS-KR DreamcityMedia, Republic of Korea
COMUNITEL VODAFONE ESPANA, S.A.U., Spain
Telekomunikasi Selular, Indonesia
TekSavvy Solutions Inc. Toronto, Canada
MOBINIL, Egypt
CLEARWIRE - Clearwire US LLC, USA
SCRR-11427 - Road Runner HoldCo LLC, USA
TATA-DOCOMO-AS-AP D 26/2, India
P4NET P4 Sp. z o.o., Poland
RR-NYSREGION-ASN-01 - Road Runner, USA
ZAQ KANSAI MULTIMEDIA SERVICE COMPANY, Japan
MES MOBISTAR ENTERPRISE SERVICES SA, Belgium
hanvit ginam broadcasting comm., Republic of Korea
, Pakistan
AIRCEL-IN Aircel Ltd., India
CJCKN-AS-KR CJ-CABLENET, Republic of Korea
Cablevisi?n, S.A. de C.V., Mexico
FCABLE-AS Qrix, Inc., Republic of Korea
AS’s > 50 sample points
Nordunet Countries
AS’s
Countries
% who CC
use
DNSSEC
62.74%
37.60%
13.57%
8.55%
5.97%
SE
FI
NO
DK
IS
sample client counts
DNSSEC
Total
820 1307
141 375
267 1968
118 1380
12 201
Sweden
Finland
Norway
Denmark
Iceland
% who ASN
use
DNSSEC
sample client counts
DNSSEC
Total
98.37% 44034
95.00%
8473
90.00% 29518
89.33%
3301
63.99% 39651
54.77% 16086
23.92%
2119
10.14% 12969
6.95%
3292
4.10% 29695
3.45% 197288
2.73% 39554
2.56%
2116
1.64%
3308
1.61%
9158
1.03% 15659
1.01%
6677
0.50% 41164
121
57
63
268
247
109
237
7
47
5
3
3
4
1
2
2
1
1
123
60
70
300
386
199
991
69
676
122
87
110
156
61
124
194
99
202
SE
SE
SE
SE
SE
FI
NO
IS
DK
NO
DK
DK
NO
SE
DK
NO
IS
NO
HI3G Hi3G Access AB, Sweden
BAHNHOF Bahnhof Internet AB, Sweden
BREDBAND2 Bredband2 AB, Sweden
TELIANET-SWEDEN TeliaSonera AB, Sweden
COMHEM-SWEDEN Com Hem Sweden, Sweden
DNA DNA Oy, Finland
TELENOR-NEXTEL Telenor Norge AS, Norway
VODAFONE_ICELAND Fjarskipti ehf, Iceland
TDC TDC Data Networks, Denmark
LYSE-AS Altibox AS, Norway
, Denmark
FULLRATE Fullrate A/S, Denmark
ASN-CATCHCOM Ventelo AS, Norway
TELIANET-DENMARK TeliaNet Denmark, Sweden
TELENOR_DANMARK_AS Telenor A/S, Denmark
NEXTGENTEL NEXTGENTEL Autonomous System, Norway
ICENET-AS1 Siminn hf, Iceland
GET-NO GET Norway, Norway
AS’s > 50 sample points