Domain Name System Security Extensions Deployment

04 October 2011

The Domain Name System (DNS) is an essential part of Internet technology. DNS provides the translation of a human readable domain name into Internet Protocol numeric address e.g. www.example.com -> 192.0.43.10, this process is known as a name resolution query.

The global DNS system is a distributed database managed in part by National Registries. The UKs national Domain registry is Nominet, Nominet oversee the co.uk, me.uk, org.uk, net.uk, plc.uk and ltd.uk zones.

The current widely used DNS protocol was designed during the early days of Internet (when the Internet was limited to a number of research and academic networks); DNS is an open, unauthenticated protocol. The current widely used implementation of the DNS protocol is susceptible to malicious tampering of DNS name query responses for nefarious ends e.g. criminal or hacking by the redirection to malicious web sites or other Internet services.

DNS Security Extensions (DNSSEC) was developed to provide digital authentication/assurance of the validity DNS Name query responses, thus allowing identification of a fraudulent DNS name query response.

Ofcom commissioned a study into the UK deployment of DNSSEC. The study examined the following topics:

  1. Provide a comparison of the UKs progress and extent deployment of DNSSEC against other EU member states and G20 nations.
  2. Examine Nominets progress against that of other national registries in the deployment of DNSSEC.
  3. Establish if any barriers to DNSSEC deployment exist (e.g. technical or economic)
  4. Identify barriers or issues preventing adoption and deployment by UK hosting providers, Internet Service Providers and businesses

Summary of findings:

  • The UK is also the second largest of the signed zones ready for production and is one of only seven of the G20 ccTLDs to have a production-ready, signed zone.
  • Nominet has been a leader in supporting the specification and deployment of DNSSEC. The registry has made investments in staff and other resources to aid in the general deployment of DNSSEC.
  • The crucial barrier to DNSSEC deployment in the UK is an economic and commercial one: lack of concrete demand in commercial settings. The UK is now in a position to see if a small set of early adopters will lead to the critical mass necessary for ISPs, hosting companies and registrars to begin offering DNSSEC related services and products.
  • The biggest barrier to DNSSEC deployment is the inability to quantify the benefit gained by its deployment. In interviews, ISPs and other hosting companies all say that there is no customer demand for DNSSEC. While they understand the benefit for authenticating DNS queries, they have no economic justification for its development or deployment. With the signing of the second-level domain for .UK one of the biggest barriers to deployment has been removed.

Full Report

Domain Name System Security Extensions Deployment PDF, 1.6 MB