Measuring the Deployment of DNSSEC Bootstrapping Using Authenticated Signals

Authors: Q Misell, Florian Steurer, Johannes Zirngibl, Anja Feldmann, Tobias Fiebig

Published in ACM, 2025

Abstract:
The DNS, the Internet’s address book, traditionally does not guarantee authenticity of data. The DNS Security Extensions (DNSSEC) exist to add cryptographic authenticity checks to the DNS. In spite of DNSSEC being over 30 years old, its widespread deployment has not yet come to fruition. Current work in the IETF tries automating the setup of DNSSEC, in the hopes of furthering its deployment. In this paper, we analyze the current state of DNSSEC, where automated deployment may prove useful, and how DNS operators are deploying this new standard. We find that DNSSEC deployment remains lackluster. An increase to DNSSEC deployment could be achieved by the implementation of - optionally non-authenticated (RFC 8078) - automatic DNSSEC configuration by domain name registries and registrars. Only 3 DNS operators implement authenticated bootstrapping, but those that do generally implement this new standard well, with 99.9 % of their zones conforming.

Recommended citation: Q Misell, Florian Steurer, Johannes Zirngibl, Anja Feldmann, Tobias Fiebig, "Measuring the Deployment of DNSSEC Bootstrapping Using Authenticated Signals." ACM, 2025.