Donate
‹ Back
Domain Name System Security Extensions (DNSSEC) 2 May 2014

Plan – Where We Need To Get DNSSEC Validation Happening

For DNSSEC to succeed, we need to get DNSSEC validation happening within DNS resolvers at many different levels within the Internet ecosystem.  Ideally, the DNSSEC validation will occur as close as possible to the end user (either a person or a device) so that the attack surface where an attacker could inject bogus DNS packets is minimized.  For instance, if the DNSSEC validation occurs within an application on the end device, there is very little an attacker can do to inject bogus DNS packets.  On the other hand, if the DNSSEC validation occurs out at a public DNS server somewhere out on the Internet, the attacker can inject packets anywhere between that public DNS server and the end device.  The reality is that we would like to see DNSSEC validation happening at many different levels.

This page exists to track the progress of where we are with getting DNSSEC validation happening across the Internet.  It is organized from the farthest point away from the end device down to the closest.  

[At the moment, this page is a work-in-progress as we are still updating it with the current status of information (and feedback is welcome). ]

Public DNS Services

While the attack surface is quite large, it is still useful to have DNSSEC validation occurring in public DNS services available to all across the open Internet.  The list of services known to perform DNSSEC validation by default includes:

Internet Service Providers / Network Operators

Internet Service Providers (ISPs) and other network operators are an excellent  location for DNSSEC validation to occur as the ISPs DNS servers are typically provided to all customers as the “default” DNS resolvers for the customers to use.  Attacks are still possible if an attacker can get onto the ISPs network but the area of the attack is significantly less than the entire Internet.  Major ISPs known to support DNSSEC by default include:

  • Comcast (North America)
  • (list of ISPs in Sweden, Czech Republic, Netherlands, Brazil)

If you are an ISP or network operator and want to support DNSSEC validation, please see our page about DNSSEC for network operators.

Local Networks  (ex. Home Networks and Enterprise Networks)

A critical place to perform DNSSEC validation is at the edge of a local network as the device at the local network edge can perform validation on behalf of a (typically small) home network or a secured corporate network. This reduces the attack surface for hijacking DNS queries to be just that of the local network.

Devices at the local network edge that may include a DNSSEC-validating DNS resolver or DNS proxy server might include firewalls, appliances or home WiFi “routers”.  They may be actual hardware devices or they may be software running on standard server hardware.

Some of the devices and software we know of that perform DNSSEC validation include:

Suggestions for enterprises on how to deploy DNSSEC validation can be found on our DNSSEC for enterprise customers page.

Operating Systems

Having DNSSEC validation occur within the operating system of a device is one of the best places for validation to occur.  The following operating systems are known to have DNSSEC validation enabled by default:

It is certainly possible for an individual to configure DNSSEC validation on an individual system using tools such as:

There are also guides out there that explain the easy steps to enable validation on existing systems:

Applications

Ideally applications themselves may perform DNSSEC validation.

(include a list of applications known to include DNSSEC validation)

Resources available to developers include:

  • List of developer libraries supporting DNSSEC
  • getDNS API

More information can be found on the DNSSEC for developers page.

‹ Back

Related articles

The Two Sides of DNSSEC – Signing and Validation
Domain Name System Security Extensions (DNSSEC)5 August 2014

The Two Sides of DNSSEC – Signing and Validation

There are two sides of DNSSEC, Signing and Validation, that together provide the increased level of security offered by DNSSEC...

Deployment Guide: DNSSEC for Internet Service Providers (ISPs)
Deploy36011 November 2013

Deployment Guide: DNSSEC for Internet Service Providers (ISPs)

An Internet Service Provider needs to offer high value while containing costs. One way to increase your services' value is...

State of DNSSEC Deployment 2016
State of DNSSEC Deployment 2016
Domain Name System (DNS)31 December 2016

State of DNSSEC Deployment 2016

This report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. Please download the...

Join the conversation with Internet Society members around the world