At the recent NZNOG meeting in Nelson, Geoff Huston
from APNIC gave a talk on DNSSEC and had some interesting
statistics about the use of validating resolvers for DNS and
DNSSEC.
For DNSSEC to work there are two parts of the equation that
need to happen:
1) People need to sign their zones
2) People need to ask the question "is this zone signed"
etc.
I want to talk about 2)
Geoff noted that a number of countries that we might not
expect to be high on the list of those validating the
responses using the DNSSEC technology were way ahead of the
rest of the world. I haven't got the exact numbers here - I
expect his presentation will appear shortly and there's
likely to be a video of it at some stage at
http://www.r2.co.nz/20140130/ - but from
memory the global average is about 7% usage of validating
resolvers.
New Zealand is a dismal <2% and I'd like to challenge
you all to do something about that. And we're way behind the
Australians....
Geoff pointed out that the high rate elsewhere is due to a
large degree to the number of people using Google's Public DNS
servers and while that looks attractive and an easy way to
improve those numbers I'd ask you not to go down that path.
You need to do this yourself (or at least as close as possible
to the end user). If you use someone else's resolver then your
traffic can be intercepted en route to the validating resolver
=> man in the middle attack => game over.
And of course, handing this data over to a centralised
collection agent makes the work of anyone who wants to snoop
on you much, much easier.
It's not about Google's servers - this applies equally to
public servers run by anyone. DNSSEC validation is not real
validation unless it's performed end to end or at least as
close as possible to that. A number of NZ ISPs provide this
service to their customers with their in house resolvers and
those of you who don't should really be looking at when you
will do this.
Those people who have signed their zones are making
assertions about how they want their DNS data to be
interpreted. They're saying that unless you validate their DNS
data they really don't want you to connect to them. You should
be taking notice of this. But then maybe you just ignore
broken certs on websites etc.
So what should you do?
End user
=======
Ask your ISP/admins to fix this.
ISPs/Enterprise
============
If you're running a resolver for customers do the work to
get it validating, please....
Plenty of info out there on how to do this for Bind and
Unbound and I'm no Windows expert but this looks
straightforward: