vcunat
August 20, 2017, 11:08am
2
@n1ete : I canāt see what you mean to imply wrt. Turris/Omnia.
milos
September 1, 2017, 10:11am
3
6 Conclusion
This paper presents a longitudinal, end-to-end study of DNSSEC ecosystemāencompassing more than 147M second-level domains and 59K DNS resolversāto understand the security implications of how DNSSEC is managed. We found that DNSSEC deployment by domain owners is rare but growing, and that nearly one third of all DNSSEC-supporting domains publish records in ways that prevent validation and thus provides no practical security. Further, we found widespread use of weak, shared keys combined with poor rollover hygiene (mostly due to a small number of hosting providers), undermining the protection DNSSEC provides against stolen or factored keys. We used Luminati to measure resolver behavior in 8.8K ASes in 177 countries, and found that while DNSSEC-aware resolvers are common (83%), only 12% of them actually validate responses to provide any practical security benefits. In summary, our study paints a bleak picture of the security provided by the DNSSEC ecosystem, one that has not improved substantially over time. Our findings highlight the need for continuous auditing of DNSSEC deployments and automated processes for correctly and securely managing DNSSEC material.
Shitty deployment, letās hope it gets better. The question is also when the data was collected. It may be quite outdated already although the paper was published just recently in August 2017.