bloxHub

www.infoblox.com/community

"Survey Says," the 2010 Edition

The results of the 2010 DNS Survey come out this week. I know you've all been waiting with bated breath, so heres a summary of some of what I thought were the most interesting results:

We again examined a random sample of subzones of the Big Three gTLDs, .COM, .NET and .ORG. As in previous surveys, we looked for DNSSEC resource records that would tell us whether these subzones were signed.

The percentage of signed subzones jumped dramatically, by 340%. But as in previous years survey's, the absolute percentage remains stubbornly low, just .022% of our sample. Perhaps this isn't that surprising, given that .ORG is the only gTLD of the three that's signed, and it was only signed this year. The impending signing of .NET (later this week!) and .COM (early next year) will make it more valuable for administrators in these gTLDs to sign their zones.

For the first time, we tried validating data inthe signed subzones we found. Ahefty proportion failed validation because their signatures had expired, likely an indication that these zones were signed as a sort of science experimentand then abandoned, or evidence that administrative processes have broken down.

We also looked at how many name servers in a random sample supported TCP-based queries and EDNS0, an extension to DNS that allows transmission of larger UDP-based DNS messages. Both are necessary to support DNSSEC. 81.4% of the name servers we found supported TCP-based queries, but only 73.6% supported EDNS0. Many of the name servers that wouldn't answer our TCP-based queries were probably sitting behind firewalls that wouldn't pass those queries, a situation that could be remedied with a simple firewall rule change. But the nameservers that didn't speak EDNS0 would almost certainly require an upgrade.

Overall, I think these results are cause for concern. DNSSEC isn't catching on organically as quickly as we'd like, and many name servers simply aren't capable of supporting it. 2011 will be a pivotal yearfor DNSSEC: With the root zone signed, as well as .COM, .NET and .ORG, most administrators will have no good excuse for not signing their zones.

 

File attachments: 
Archived: 
Section: 
Cricket on DNS

Tags:

DNS Survey, DNSSEC, ipv6

Comments

Not all modern firewall vendors (names withheld to protect the guilty) support ENDS0. After a recent evaluation of several firewall vendors, it was disappointing to see how few "Tech Guys" from these companies were even aware of EDNS0. Fewer of the vendors had an "allow ENDS0" standard rule configuration.

+1
0
-1

Add comment

Log in or register to post comments

Welcome to bloxHub

Welcome to bloxHub, our community for users of Infoblox products. Most of our content can be viewed as a guest, but if you wish to contribute or join a conversation, you will need to log in. If you don't have a bloxHub account, we invite you to register an account and join us.

Follow us on Twitter

Follow us on Twitter at @bloxHub and we'll keep you notified of new content on the community as well as webinars and other items of interest to Infoblox users.

Recent tweets

More