## page was copied from DnsTemplate ##master-page:HelpTemplate <> <> https://blog.apnic.net/2021/11/26/adoption-of-dns-security-mechanisms-related-to-ease-of-use-cost/ == history == Adoption of DNS security mechanisms related to ease-of-use, cost By Masanori Yajima on 26 Nov 2021 Category: Tech matters Tags: DANE, DNS, DNSSEC, Guest Post, measurement, security As a fundamental Internet infrastructure, the Domain Name System (DNS) is continually under attack. While various DNS security mechanisms have been proposed, standardized, and implemented, little is known about how prevalent they are in the current DNS ecosystem. To answer this, we at Waseda University have conducted a large-scale survey into the adoption of various DNS security mechanisms — DNSSEC, DNS Cookies, CAA, SPF, DMARC, MTA-STS, DANE, and TLSRPT — and in doing so identified what effects adoption rates. In this blog post, I will report the results of our survey and discuss practical ways to ensure the widespread use of security mechanisms in the future. == Key points: == {{{ ​​Easy-to-deploy DNS security mechanisms and those that are not expensive to set up are more widely adopted. Root servers, and top-level domains are leading adopters of DNSSEC and DNS Cookies. Top 10 websites are leading adopters of SPF and DMARC. We encourage domain name administrators to check the state-of-the-art DNS security mechanisms and the tools/services that will ease the configuration burden. }}} == Scope of survey == In this survey, we used root servers, top-level domains (TLDs), and domain names used by well-known websites. We targeted IPv4 addresses of all 13 root servers, 13 legacy gTLDs and 254 ccTLDs, and the top 10K domain names published by Tranco. Each IP address collected was tested on a domain name basis. In cases where we observed at least one IP address that operates a security mechanism, we assumed that the entire domain name space has adopted that security mechanism. Table 1 shows the DNS resource records and signatures required when setting up the security mechanism. We checked if the target domain name had the target resource records and signatures. {{{ Configure Target domain name RR Signature DNSSEC Server RRSIG n/a DNS Cookies Server n/a n/a n/a CAA Server CAA n/a SPF Server TXT v=spf1… DMARC Receiver _dmarc. TXT v=DMARC1… MTA-STS Receiver _mta-sts. TXT v=STSv1… DANE Receiver _25.tcp. TLSA n/a TLSRPT Receiver _smtp._tls. TXT v=TLSRPTv1… Table 1 — DNS resource records and signatures required when setting up the security mechanism. }}} Easy-to-deploy security mechanisms are more widely adopted Table 2 shows the percentage of DNS servers that have adopted each security mechanism. The key takeaways are: DNSSEC and DNS Cookies have a high adoption rate in the DNS core, such as Root and TLDs.The adoption rate for domain names used by well-known websites is low. The adoption rate of SPF and DMARC is higher than that of other security mechanisms. The adoption rate of DANE is less than 1% for all data sets. DNS Security Adoption 2021 {{{ DNS Servers DNSSEC (%) DNS Cookie (%) CAA (%) MX (%) SPF (%) DMARC (%) MTA-STS (%) DANE (%) TLSRPT (%) Root 100.00 100.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 ccTLD 56.69 81.10 0.00 6.30 0.00 0.00 0.00 0.00 0.00 gTLD 100.00 45.45 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Top 10 0.00 20.00 30.00 30.00 100.00 88.89 33.33 0.00 33.33 Top 100 4.00 21.00 48.00 48.00 96.51 84.88 5.81 0.00 5.81 Top 1K 9.20 13.80 22.70 22.70 92.85 74.01 1.48 0.57 1.82 Top 5K 8.60 18.58 14.90 14.90 89.86 58.49 0.75 0.84 0.98 Top 10K 7.67 17.40 12.98 12.98 88.66 54.09 0.51 0.84 0.74 Table 2 — The percentage of DNS servers that have adopted each security mechanism. }}} Overall, we can infer from these results that an easy-to-deploy security mechanism has a high adoption rate. Setup cost is also key to adoption of security mechanisms Next, we examined the relationship between setup difficulty and the percentage of security mechanisms adopted. Table 3 shows how we defined our evaluation indicators, with 1 being easy to set up and 3 being difficult. The more types of servers we need to set up, the more scores we add. Third-party intermediaries represent something that cannot be completed by a single DNS resource record or server configuration, for example, the coordination of parent-child zones in DNSSEC. It needs to be validated by multiple organizations, hence the score of 3. {{{ Number Description Point 1 DNS resource records need to be configured. 1 2 DNS server configuration needs to be changed. 2 3 Mail server configuration needs to be changed. 2 4 Web server configuration needs to be changed. 2 5 A third-party intermediary is required. 3 Table 3 — Ease of set up score for DNS configurations (1 being easy to set up and 3 being difficult). }}} Finally, we defined the setup difficulty level of each security mechanism (Table 4). Setup difficulty DNS Security Mechanisms {{{ Mechanisms Indicator Number Difficulty Level 1 2 3 4 5 SPF 1 1 DNS Cookies 2 2 DMARC 1 2 3 CAA 1 2 3 MTA-STS 1 2 2 5 TLSRPT 1 2 2 5 DNSSEC 1 2 3 6 DANE 1 2 3 6 Table 4 — Setup difficulty level for each DNS security mechanism. }}} Figure 1 shows a scatterplot of the setup difficulty and the adoption rate, with a logarithmic axis owing to the significant difference between SPF and other security mechanisms. Logically, the lower the setup difficulty, the higher the adoption rate. This observation suggests that the key to increasing security mechanisms’ adoption rate is lowering the setup cost. Scatterplot of the setup difficulty and adoption rate of DNS security mechanisms. Figure 1 — Scatterplot of the setup difficulty and adoption rate of DNS security mechanisms. HTTPS’s rapid adoption in recent years lends itself to this theory, particularly the establishment of Let’s Encrypt, which has made it free and easy for anyone to generate/install TLS certificates. Simultaneously, web browsers changed to show a negative security indicator for websites that do not deploy HTTPS. These facts would have motivated web server administrators to actively adopt HTTPS. Contrary to this DNSSEC has been noted as difficult to operate flawlessly, even for large and well-known companies, with communication failures from DNSSEC mismanagement still occurring regularly. As more services like AWS’s Route 53 support DNSSEC, it will become easier for ordinary domain name administrators to use DNSSEC in the future. If these security mechanisms are made readily available to ordinary domain name administrators, the DNS security mechanisms’ adoption rate will increase. DNS security is worth the effort We recommend that domain name administrators should regularly review security mechanisms’ settings to make sure they are correctly configured for DNS servers, web/mail servers, and TLS libraries they manage and take note of any changes and operational software emergence. You can read more about our study in our upcoming paper ‘Measuring Adoption of DNS Security Mechanisms with Cross-Sectional Approach’, which we will be presenting at the IEEE Global Communications Conference: Communication & Information Systems Security (Globecom 2021 CISS). Masanori Yajima is a graduate student at Waseda University, Tokyo, Japan. He is interested in the security of the DNS ecosystem and Internet measurement. Rate this article Rate this (4 Votes) The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog. Related Articles Testing transition mechanisms in IPv6-only networksTesting transition mechanisms in IPv6-only networks by Timothy Winters August 11, 2020 Guest Post: Knowing the potential roadblocks associated with IPv6 transition mechanisms helps network operators avoid them. When to use and not use BBRWhen to use and not use BBR by Yi Cao January 10, 2020 Guest Post: The difference between the bottleneck buffer size and bandwidth-delay product typically dictates when BBR performs well, study finds. Which RPKI-related RFCs should you read?Which RPKI-related RFCs should you read? by Alfred Arouna March 15, 2021 Guest Post: This new tool helps you find and access RPKI information, easily and orderly. Increasing security protocol adoption – your views neededIncreasing security protocol adoption – your views needed by Marten Porte August 6, 2019 Guest Post: Take this survey to help an IGF pilot project team understand challenges in adoption of security standards and protocols. }}} ---- CategoryDns CategoryWatch CategoryTemplate