DNSSEC-validating DNS service: successful pilot completed
For the last two years, we've been piloting a DNSSEC-validating DNS service. The main aim was to build up our own picture of the problems caused by validation errors. Five years ago, the number of DNSSEC configuration errors in the .nl zone represented a problem for validating resolvers. We therefore implemented a raft of measures to remove errors from the zone. However, access providers continued highlighting the errors as a reason for not enabling DNSSEC validation on their resolvers.
The pilot's second aim was to assess the viability of us making a validation service more widely available. Offering a service would plug the gap left by the access providers and create a non-commercial alternative to Google's Public DNS. With the added benefit of fully assuring users' privacy.
In the period 2013-2014, validation errors were a major obstacle to the further development of DNSSEC in the Netherlands. The .nl domain's pioneering role in promoting the signing of domain names deflected the focus away from validation. The outcome was an imbalance between the two sides of DNSSEC: signing and validation.
At that time, there were too many domains whose key material, as registered with us, didn't match the information on their authoritative servers. That created issues for supportive access providers. They were confronted by problems and costs, for which other people's configuration errors were to blame. And they were powerless to put those errors right. So, for example, T-Mobile disabled validation for its mobile users in 2013, after previously supporting DNSSEC.
Cutting out the errors
Against that background, we put various measures in place to cut out validation errors. We called the registrars responsible for the most errors (2013), after which the situation rapidly began to improve (2014). A little later (in 2015) we rolled out Validation Monitor XXL: a tool that enabled us to identify and remove the remaining few DNSSEC configuration errors from the .nl zone. It also meant that we had a basis for offering registrars a financial incentive for getting their DNSSEC configurations right."There's now no reason why access providers shouldn't enable DNSSEC validation on their caching resolvers," said Technical Advisor Marco Davids at the time. "They don't need to worry any more about getting lots of helpline calls from customers who can't reach websites. It's now up to the country's big providers to press the firms that manage their network infrastructures to start supporting validation."
Although validation errors haven't been a real issue since 2015, access providers still point to the errors to defend not enabling validation on their resolvers. At the moment, XS4All, BIT and Edutel are among the few access providers who do perform validation for their customers.With access providers so reluctant to support DNSSEC, we decided to start a pilot DNS service of our own in July 2015. Fibre broadband company OpenFiber set up two (redundant) DNS resolvers to operate the service, one in Arnhem and the other in Amsterdam. Initially, the servers were used by a thousand-plus students at a secondary school in The Hague (Haags Montessori Lyceum, or HML). Later, OpenFiber made the service available to all its FttH (Fiber to the Home) customers.The pilot came to an end in November 2017. Service users were transferred back to OpenFiber's own resolvers, which now support DNSSEC validation.
Almost no errors
"The main thing we've learnt from the pilot is that you hardly ever see validation errors nowadays," says SIDN's Key Account Manager Sebastiaan Assink. Over a period of about eighteen months, a total of 849,182,522 queries yielded 25,160 unintended validation errors involving 4,778 unique domain names. That's about thirty per million, five orders of magnitude less than in 2013. In practical terms, validations errors are all but non-existent."During the two years that the project was running, we didn't get a single support call about a website that didn't work via our connection, but was accessible by mobile," recalls Kasper Schoonman, OpenFiber's co-owner.
Another outcome of the pilot is that it's been decided that the validating DNS service won't be developed into a full-scale public service. "The pilot was a success, but it's now been brought to a close. We're glad to see that the number of providers doing DNSSEC validation is increasing, albeit slowly," says Sebastiaan.
Brake on innovation
"Although validation errors haven't been a problem for years, access providers are sitting on their hands," sums up Sebastiaan. "The biggest of them, including KPN and Ziggo, still don't do DNSSEC validation. It's a brake on innovation. New DNS/DNSSEC-based applications, such as DANE, DKIM, DMARC and SPF are being held back.""We don't have a direct commercial relationship with the access providers, so unfortunately it's hard for us to exert any leverage. Nevertheless, we'll keep promoting awareness and keep lobbying for change."