Bachelor Thesis: Analysis of DNSSEC Adoption at Internet Scale
November 28, 2024 - 2 min readFollowing is my thesis for Bachelor of Science in Software Engineering at CODE Unversity of Applied Sciences in Berlin.
Abstract
DNSSEC is a security extension to the Domain Name System (DNS) and serves as a mechanism for ensuring the integrity of records using a cryptographic approach. Since its standardization in 2005, however, adoption has been lackluster.
This thesis presents a survey of 171 million domain names across all TLDs and their adoption, as determined by querying Cloudflare’s recursive resolver. Additional metadata, such as registrar and nameserver, was also collected. Domain names were primarily sourced from scraping public certificate transparency logs.
Across the entire dataset, the adoption rate of DNSSEC is 5.93%. Survey results are further segmented by TLD, registrar, nameserver, and others. The largest registrar, GoDaddy, sees only a 0.29% adoption rate, while 28.12% of domains registered with Squarespace, fka. Google Domains, have adopted the standard. The 100 most important domains, as defined by Cloudflare Radar, even show a below-average adoption rate of 5%.
The generally low adoption rate can be attributed to a lack of incentives for domain owners and registrars, combined with an unintuitive adoption path. In addition, DNSSEC is considered a risk to availability by some.
Keywords: Domain Name System, DNS Security, DNSSEC Survey, Certificate Transparency, Internet Security
Dataset
The full dataset is available for download under a CC BY 4.0 license. The source code for scraping the CT logs as well as for surveying the domains is also publicly available.