Speaker
Description
The security extensions of the DNS (DNSSEC) are the only effective measure to protect the integrity of the naming system of the Internet. More than 17 years after the publication of the current DNSSEC standards, deployment at domain names and recursive resolvers still leaves room for improvement. Some report that only 30% of the Internet's population rely on validating resolvers. The reasons for this low deployment-rate at resolvers are unclear, but some operators have raised concerns about operational overhead.
We study as the first why recursive resolver operators do not enable DNSSEC validation. We carry out a survey among 120 operators, serving more than 200 million clients worldwide. We show that there are two major reasons for not enabling validation: scepticism about DNSSEC, and the fear of high operational overhead. We find that the real operational overhead is significantly lower than the expected overhead. Additionally, we discuss how other concerns raised by operators could be addressed in order to improve deployment of DNSSEC validation.
