"Our investigation reveals pervasive mismanagement of the DNSSEC infrastructure"

n1ete · August 19, 2017, 10:27pm

…sounds not that good

vcunat · August 20, 2017, 11:08am

@n1ete: I can’t see what you mean to imply wrt. Turris/Omnia.

milos · September 1, 2017, 10:11am

Taejoong Chung:

6 Conclusion
This paper presents a longitudinal, end-to-end study of DNSSEC ecosystem—encompassing more than 147M second-level domains and 59K DNS resolvers—to understand the security implications of how DNSSEC is managed. We found that DNSSEC deployment by domain owners is rare but growing, and that nearly one third of all DNSSEC-supporting domains publish records in ways that prevent validation and thus provides no practical security. Further, we found widespread use of weak, shared keys combined with poor rollover hygiene (mostly due to a small number of hosting providers), undermining the protection DNSSEC provides against stolen or factored keys. We used Luminati to measure resolver behavior in 8.8K ASes in 177 countries, and found that while DNSSEC-aware resolvers are common (83%), only 12% of them actually validate responses to provide any practical security benefits. In summary, our study paints a bleak picture of the security provided by the DNSSEC ecosystem, one that has not improved substantially over time. Our findings highlight the need for continuous auditing of DNSSEC deployments and automated processes for correctly and securely managing DNSSEC material.

Shitty deployment, let’s hope it gets better. The question is also when the data was collected. It may be quite outdated already although the paper was published just recently in August 2017.