Understanding the Role of Registrars in DNSSEC Deployment

Taejoong Chung, Roland M. van Rijswijk, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Christo Wilson

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    29 Citations (Scopus)


    The Domain Name System (DNS) provides a scalable, flexible name resolution service. Unfortunately, its unauthenticated architecture has become the basis for many security attacks. To address this, DNS Security Extensions (DNSSEC) were introduced in 1997. DNSSEC’s deployment requires support from the top-level domain (TLD) registries and registrars, as well as participation by the organization that serves as the DNS operator. Unfortunately, DNSSEC has seen poor deployment thus far: despite being proposed nearly two decades ago, only 1% of .com, .net, and .org domains are properly signed.
    In this paper, we investigate the underlying reasons why DNSSEC adoption has been remarkably slow. We focus on registrars, as most TLD registries already support DNSSEC and registrars often serve as DNS operators for their customers. Our study uses large-scale, longitudinal DNS measurements to study DNSSEC adoption, coupled with experiences collected by trying to deploy DNSSEC on domains we purchased from leading domain name registrars and resellers. Overall, we find that a select few registrars are responsible for the (small) DNSSEC deployment today, and that many leading registrars do not support DNSSEC at all, or require customers to take cumbersome steps to deploy DNSSEC. Further frustrating deployment, many of the mechanisms for conveying DNSSEC information to registrars are error-prone or present security vulnerabilities. Finally, we find that using DNSSEC with third-party DNS operators such as Cloudflare requires the domain owner to take a number of steps that 40% of domain owners do not complete. Having identified several operational challenges for full DNSSEC deployment, we make recommendations to improve adoption.
    Original languageEnglish
    Title of host publicationIMC '17
    Subtitle of host publicationProceedings of the 2017 Internet Measurement Conference
    Place of PublicationNew York, NY
    PublisherAssociation for Computing Machinery
    ISBN (Print)978-1-4503-5118-8
    Publication statusPublished - 1 Nov 2017
    Event2017 ACM Internet Measurement Conference, IMC 2017 - London, United Kingdom
    Duration: 1 Nov 20173 Nov 2017


    Conference2017 ACM Internet Measurement Conference, IMC 2017
    Abbreviated titleIMC
    Country/TerritoryUnited Kingdom
    Internet address


    Dive into the research topics of 'Understanding the Role of Registrars in DNSSEC Deployment'. Together they form a unique fingerprint.

    Cite this