DNSSEC Validation in 2022: Canadian ISPs Need To Take DNS Security Seriously

Picture of Dan York
Senior Advisor, Internet Society
Categories:
Twitter logo
LinkedIn logo
Facebook logo
March 23, 2023

In my first post in this series, I highlighted the amazing growth of DNSSEC validation in countries within Africa.

In this post, I’ll jump across the Atlantic Ocean to highlight the mixed changes we’ve seen in DNSSEC validation over the past year in North and South America.

South and Central America Rise

Growth continues in South America, with GuyanaVenezuela, and Argentina all making significant gains in 2022.

DNSSEC validation in Caribbean networks grew from 20 to 25%, while Central American networks grew a couple of percentage points.

Figure 1 — Use of DNSSEC validation for Central America (2014-2023). Source: APNIC Labs.

Haiti (.ht) also recently joined the 148 countries that have DNSSEC-enabled country-code Top Level Domains (ccTLD). Signing the domain and installing security keys in the root zone of the DNS is an important first step to more widespread DNSSEC deployment.

Observe the steady increase in ccTLD DNSSEC adoption and the adoption of DNSSEC validation via our Pulse Enabling Technologies page.

North America Falls

In North America, we saw a decline in DNSSEC validation from nearly 40% at the start of 2022 to around 32% by year-end.

Graph showing the use of DNSSEC validation for Northern America from 2014 to 2023.
Figure 2 — Use of DNSSEC validation for Northern America (2014-2023). Source: APNIC Labs.

Some of this decrease can be attributed to a 5% decrease (from 40% to 35%) in the USA.

The USA is an example of where the DNSSEC validation is happening largely because of one very large ISP — Comcast. If you look at the table showing the top 20 networks from which APNIC Labs receives samples, Comcast is the only network doing significant DNSSEC validation until you get down to number 16 in the list.

Given that Comcast is the largest ISP in the USA, this is largely what gives the USA its 35% overall validation rate. At this time the other large mobile providers (AT&T, T-Mobile, Verizon) are not validating, nor are other large cable providers such as Charter, Cox, and Time Warner.

Table showing the top 20 networks in the USA based on the number of samples APNIC Labs receives.
Figure 3 — Top 20 networks in the USA based on the number of samples APNIC Labs receives. Source: APNIC Labs.

The drop for North America though is mainly attributed to Canada where DNSSEC validation declined almost 50% — the blue line in Figure 4 tells the story.

Graph showing the use of DNSSEC validation for Canada from 2014 to 2023.
Figure 4 — Use of DNSSEC validation for Canada (2014-2023). Source: APNIC Labs.

There were small declines in several ISPs, such as Xplornet dropping from 30% to 10% validation. But the largest drop was from Cogeco Communications where they had been validating up to around 95 to 98% of all queries since 2018. Then, in December 2022, they seem to have just turned it off! 🤷 Note, they aren’t responsible for the entire decline. As you can see in Figure 5, theirs was a sudden drop (blue and yellow lines) while country totals (green and purple lines) were declining over the whole year. Hopefully, Cogeco Communications will turn DNSSEC validation back on soon.

Graph showing AS11290’s use of DNSSEC validation from 2014 to 2023.
Figure 5 — AS11290’s use of DNSSEC validation (2014-2023). Source: APNIC Labs.

Canada’s challenge is that its largest ISPs are not validating DNSSEC. You have to go down to #9 on the list (Figure 6), where SaskTel has been doing an awesome job validating DNSSEC since 2020. But unlike the USA, where Comcast is leading the industry, none of Canada’s largest ISPs seem to be taking DNS security seriously.

Figure 6 — Top 20 networks in the USA based on the number of samples APNIC Labs receives. Source: APNIC Labs.

As an aside, given all our work with low Earth orbit (LEO) satellites last year, I was pleased to see SpaceX’s Starlink network in Canada coming in with close to 99% validation.

All in all, though, the story of North America is that the USA and Canada need to get more of their larger ISPs to start validating DNSSEC.

What About Europe and Asia?

At a high level, Europe ended 2022 slightly above where it began thanks to some positive movement in Italy and Russia but declines in France and the UK.

Similarly, Asia recorded a slightly higher average over 2022, although there’s been an increase in early 2023 with Bangladesh making a solid step, and Iran making a huge jump.

I’ll explore the details of these in my next post.