Donate
The State of Routing Security at DNS Registries Thumbnail
‹ Back
Mutually Agreed Norms for Routing Security (MANRS) 25 August 2020

The State of Routing Security at DNS Registries

The Domain Name System (DNS) is an important component of the Internet, but it was not designed with security in mind. In the last 20 years or so, much attention has been directed at improving its inherently insecure aspects.

This includes the deployment of DNS Security Extensions (DNSSEC) that enables cryptographic validation of DNS records, and more recently DNS-over-TLS and DNS-over-HTTPS, which encrypts DNS transactions between hosts and resolvers.

The DNS, though, is also dependent on the global routing system for sending DNS queries from resolvers to servers, and then returning the responses. The integrity of the routing system is, therefore, extremely important for ensuring DNS transactions are delivered efficiently to the correct destination. Yet, at present, few DNS registries are implementing Routing Public Key Infrastructure (RPKI), a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol (BGP).

A survey of 4,138 zones – that included 1,201 generic top-level domains (gTLDs), 308 country code top-level domains (ccTLDs), 271 reverse map zones, and 1,780 sub-ccTLD zones – showed a total of 6,910 route origins for the name servers that are serving these zones.

Yet, just 22% of these had valid Route Origin Authorisations (ROA), a digitally signed object that verifies an IP address block holder has authorized an AS (Autonomous System) to originate routes to that one or more prefixes within the address block.

Whilst the figures for the reverse map zones (53%) and ccTLD zones (34%) give evidence of deployment, they are significantly lower for the gTLD zones (11%). In fact, around 40% of TLDs have no ROA deployment at all, with 20% only having partial deployment.

These findings are discussed in more depth in “A Look at Route Origin Authorizations Deployment at DNS Registries” on the MANRS website. It is important to highlight an aspect of DNS security that has been somewhat overlooked.

If you’re interested in finding out more about why important routing security is so important, please also read our five-part Introduction to Routing Security.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more
Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more
Improving Technical Security12 April 2018

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more

There was an important development this month with the launch of Cloudflare's new 1.1.1.1 DNS resolver service. This is a significant...

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more
Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more
Deploy36012 April 2018

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more

There was an important development this month with the launch of Cloudflare's new 1.1.1.1 DNS resolver service. This is a significant...

Rough Guide to IETF 102
Rough Guide to IETF 102
IETF9 July 2018

Rough Guide to IETF 102

Starting next weekend, the Internet Engineering Task Force will be in Montreal for IETF 102, where over 1,000 engineers will discuss...

Join the conversation with Internet Society members around the world