Feb 16 – 17, 2023 Workshop
Atlanta Marriott Marquis
US/Eastern timezone

Expectation vs Reality - The Impact of DNSSEC Validation on Recursive Resolver Operations

Feb 17, 2023, 10:45 AM
Imperial Ballrom (Atlanta Marriott Marquis)

Imperial Ballrom

Atlanta Marriott Marquis

265 Peachtree Center Ave NE Atlanta GA 30303 United States
Remote Standard Presentation Main Session OARC 40 - Day 2


Moritz Müller (SIDN)


The security extensions of the DNS (DNSSEC) are the only effective measure to protect the integrity of the naming system of the Internet. More than 17 years after the publication of the current DNSSEC standards, deployment at domain names and recursive resolvers still leaves room for improvement. Some report that only 30% of the Internet's population rely on validating resolvers. The reasons for this low deployment-rate at resolvers are unclear, but some operators have raised concerns about operational overhead.
We study as the first why recursive resolver operators do not enable DNSSEC validation. We carry out a survey among 120 operators, serving more than 200 million clients worldwide. We show that there are two major reasons for not enabling validation: scepticism about DNSSEC, and the fear of high operational overhead. We find that the real operational overhead is significantly lower than the expected overhead. Additionally, we discuss how other concerns raised by operators could be addressed in order to improve deployment of DNSSEC validation.

Primary author

Moritz Müller (SIDN)


Cristian Hesselman (SIDN and University of Twente) Elmer Lastdrager (SIDN)

Presentation materials