What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) is a protocol that adds an extra layer of security to the Domain Name System (DNS) by digitally signing DNS data. This prevents hackers from intercepting and modifying data when it’s transmitted, reducing the risk of attacks such as DNS cache poisoning.
There are two sides to DNSSEC: signing and validating. On the one side, DNS operators sign domain names cryptographically. On the other side, when you do anything online that uses domain names, the DNS resolver you use, often at your Internet Service Provider (ISP), performs DNSSEC validation to check whether DNSSEC signatures are correct.
For DNSSEC to provide its extra layer of security globally, we need both: domain names to be signed, and local DNS resolvers to be checking for those DNSSEC signatures.
For this post, I’m only going to focus on the validation side. If you look at our Pulse page on enabling technologies, you can see toward the bottom of the page a chart (Figure 1) that shows both signing and validation metrics in the same chart.
I want to dig into the green line on the bottom that represents validation and shows around 30% of all queries currently being validated. To do this, I will dive into DNSSEC validation data provided by APNIC Labs, one of our Pulse data partners.
Looking at their chart for global DNSSEC validation (Figure 2), we can see current validation levels are around 30%.
If you scroll down the page you can see the validation in regions around the world (click on a column heading to sort by that column). By clicking on those regions you can dive down into seeing how much validation is happening in a specific country and specific networks.
|Region||DNSSEC Validates||Samples||Weight||Weighted Samples|
What’s Behind the Amazing Growth In Africa?
Of all the regions, the greatest growth in DNSSEC validation can be seen in Africa, growing from a low of 17% at the start of 2022 up to 31% at the start of 2023 (Figure 3).
APNIC Labs provides a map that very nicely shows with the bright green where the highest percentage of validation is occurring.
Looking at some specific charts, you can see in Guinea a huge jump from around 5 to 7% validation at the beginning of 2022 to over 70% in early 2023.
Looking at the individual operators, you can see that several of the operators have had DNSSEC validation enabled since at least 2021, but the big change was when Orange (ASAS37461) started validating in September 2022 (Figure 6).
Morocco provides another interesting case study of what happens when large ISPs enable DNSSEC validation. As you can see in the overall Morocco chart (Figure 7), there was a huge jump in early 2021 from around 5% validation up to around 60%. And then in mid-2022, there was another big step up to around 80% validation.
Digging into the specific networks, you can see that Maroc Telecom (ASAS36903) started doing validation in early 2021, corresponding to the first large step in the chart (Figure 8).
The second step can be seen when ASMedi (AS36925) enabled DNSSEC validation in mid-2022 (Figure 9).
Note the interesting aspect APNIC Labs’ data shows that ASMedi had previously been validating DNSSEC back in 2014-2016, and then for whatever reason stopped validating for six years until they turned it back on in 2022!
Lesotho also saw a similar step growth pattern to finish the year with over 95% validation, with Telecom-Lesotho validating more than 90% since 2021, and Vodacom-Lesotho joining in at the end of 2022.
In my next post, I will highlight the mixed changes we’ve seen in DNSSEC validation over the past year in North and South America.