Systems ApproachJul 15

Over the last year-plus we have been working on a new book focussing on network security. Most recently we have been looking into the security of the Internet's infrastructure, including the domain name system (DNS). Even though attacks on DNS have been known since the 1990s, efforts to secure it have been limited in their adoption. For this week's newsletter, we enabled DNSSEC (DNS security extensions) on our domain and it was remarkably painless. Yet DNSSEC adoption remains sluggish, for reasons that are explored in the newsletter.

https://systemsapproach.org/2025/07/14/does-dns-security-matter/

๐Ÿงต
1/n

Does DNS Security Matter? - Systems Approach

DNSSEC assures a client that it is talking to the IP address corresponding to the domain name that it requested

Systems Approach
Show threadSystems ApproachJul 15

For a start, how bad is it? Well, DNSSEC was first documented in RFC 2065 in 1997, so we've had 28 years of deployment, and we're at about 34% according to the Internet Society: https://pulse.internetsociety.org/en/technologies/

By comparison, HTTPS, in the same time period, has been deployed at 96% of the most popular 1000 sites on the Web.

2/n

Enabling Technologies โ€” Internet Society Pulse

New technologies are essential to enable the Internet to keep growing, evolving and meeting the changing expectations of users. Enabling technologies contribute to improved Internet scalability, security, trust and availability. Internet Society Pulse curates information about levels of IPv6 adoption in countries and networks around the world, progress being made towards an encrypted web, indicators of DNSSEC adoption by the registries for country-code domain names, and data on worldwide adoption of TLS1.3 and HTTP/3.

Internet Society Pulse
Show threadSystems ApproachJul 15

For a couple of deep dives into what has gone wrong, we recommend:

"Calling time on DNSSEC?" by Geoff Huston
https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/
and
"Where did DNSSEC go wrong?" by Edward Lewis
"https://blog.apnic.net/2024/07/05/where-did-dnssec-go-wrong/"

3/n

Calling time on DNSSEC? | APNIC Blog

Should we drop DNSSEC and just move on?

APNIC Blog
Show threadSystems Approach

A couple of problems stand out. One is a lack of user visibility: DNSSEC provides no equivalent to the comforting little padlock that your browser offers when using HTTPS. Instead, you need to go run some sort of diagnostic tool that is frankly for Internet geeks only. We rather like DNSviz: https://github.com/dnsviz/dnsviz

You can see the chain of trust established from the root zone down via .org to our systemsapproach.org zone in this image.

4/n

Jul 15 at 12:21amWeb
Show threadSystems ApproachJul 15

Another issue is that DNSSEC requires the chain of trust to follow the zone hierarchy. No problem for us but it is a deal-breaker if anyone in the hierarchy above the zone you want to protect doesn't support DNSSEC. This is the case for about 30% of country-level domains at present.

5/n

Show threadSystems ApproachJul 15

There are other approaches around to secure DNS, such as running DNS over HTTPS (DoH) and a variant of DoH that protects client privacy called Oblivious DNS. These solve some issues with DNS security but not the one where your resolver has had its cache poisoned.

Giving false answers to DNS queries remains a problem especially in countries that want to limit their citizen's acccess to certain content. (We assume this will soon include countries that want to limit access to the global version of TikTok?) And so while DNSSEC struggles to make progress, we're not ready to give up on DNS security yet.

More details in the newsletter:
https://systemsapproach.org/2025/07/14/does-dns-security-matter/

/FIN

Does DNS Security Matter? - Systems Approach

DNSSEC assures a client that it is talking to the IP address corresponding to the domain name that it requested

Systems Approach
Show threadSystems ApproachJul 15
P.S. If you want to review the current draft of the security book, we have now made it available and will happily take feedback:
https://github.com/SystemsApproach/security
GitHub - SystemsApproach/security: Network Security Micro-book

Network Security Micro-book. Contribute to SystemsApproach/security development by creating an account on GitHub.

GitHub
Show threadJohn KristoffJul 15

@SystemsAppr Good stuff!

I started taking a brief look at it. My main interest and area of expertise is in the infrastructure security chapter, which is very light. This topic could probably a much larger book unto itself. Hmm... :-)

For example, I might want to talk about control plane and peering session protections (e.g., GTSM, prefix filtering) as well as RTBH.

The DNS portion is similarly light. I would have mentioned something about open resolvers and registry protections for example.

Also note, while Geoff, Ed, and other critics of aren't wrong, we are finding in research that DNSSEC is probably performing much better than people realize. Measuring deployment is nuanced. It is pretty good in some parts. Where it is abysmal is in the signing of popular names.

I'm guessing you do not want such such general and wide-ranging critiques so I won't create github issues for these. We can talk offline about them if you like. I'll read the details more closely and provide suggest reasonable changes on what is there.

Show threadSystems ApproachJul 15
@jtk Thanks - would be happy to continue this over email. Is your research on deployment published?
Show threadJohn KristoffJul 15

@SystemsAppr Research and paper in progress. Imperfect, and preliminary update last presented at #NANOG93

* https://youtube.com/watch?v=t-AUsaOPbJw
* https://dataplane.org/jtk/talks/nanog93-dnssec-outages.pdf

Will follow up in email.

Security Track: DNSSEC-related Outages

YouTube