DNSSEC Validation at Spark NZ

During the last NZNOG meeting in Rotorua, Geoff Huston presented an interesting result from APNIC's continuous research in DNSSEC validation deployment in New Zealand: the country reached a level of 15% of validation among a sample of users. Although these numbers are well below the level of adoption in other countries, like the US with 21.6%, these are at the same level of Australia and a lot better than the UK with 5%, this result carries a surprise: the same metric was sitting at the 8% level in December 2014.

Use of DNSSEC validation for New Zealand

New Zealand nearly doubled their DNSSEC validation adoption in a single month? That's too good to be true. Geoff's report indicates that apparently SparkNZ started doing DNSSEC validation during December 2014. 

NZRS uses DNS traffic data from the .nz nameservers to identify and analyze this change.

The figure below represents the DNS traffic seen from Spark NZ resolvers in our .nz nameservers. The purple line is the total number of queries, and the orange line the DNSSEC associated traffic.

Spark DNS traffic for .nz

Before Dec 15th, Spark NZ resolvers were hardly sending DNSSEC queries for .nz to our nameservers, but with the flick of a button, they rump up roughly two million queries a day. We investigated the details of this change in our blog: https://nzrs.net.nz/content/dnssec-validation-spark-nz  

Global Impact

The reader may think a change like this only produces effects within New Zealand, but in an interconnected world, that's no longer true. Working together with SIDN, the registry for .nl domain names, they were able to repeat our analysis and count the number of DNSSEC queries they received from Spark NZ in the same period. .nl is a good option to check this, because they have over 2.2 million signed domains.

Although not at the same scale as .nz, mainly because popularity of .nl domain names in New Zealand and smaller data set used for this query, traffic from Spark NZ resolvers went from a few queries per day, to over 10,000 queries per day including DNSSEC traffic. Following the same color palette as before, purple represents total traffic and orange DNSSEC-associated traffic.

Spark DNS traffic for .nl seen at ns1.dns.nl

Conclusions

NZRS is a big advocate of DNSSEC adoption, at both signing and validation side. We are very happy to see Spark NZ taking this step to enable validation, that together with the use of DANE, will enable a broad set of application to securely exchange traffic across the Internet. We are looking forward to have this service deployed widely to all Spark customers.

For a more detailed analysis of this change, please visit our blog: https://nzrs.net.nz/content/dnssec-validation-spark-nz