unbound 1.7.3 - Verified that unsigned response is INSECURE

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Oct 30 17:50:48 UTC 2018

On Tue, Oct 30, 2018 at 02:52:17PM +0100, Jochen Becker wrote:

> Apparently there seems to be a misunderstanding at my end, e. g. where
> is the point of validation if the majority of domains are not signed?

My DANE/DNSSEC adoption survey is tracking ~9 million DNSSEC-signed
delegations which are immediate descendents of Public Suffix List
parent domains.  Based on published numbers from some of the larger
registries for which I am as yet unable to get complete zone data,
my estimated world-wide total is around 10 million.

While many of the largest domains are not presently signed, some
are.  Deployment is somewhat concentrated in Northern Europe, but
there is also significant deployment in Brazil, the Check republic
and Poland.  There is a non-trivial number of signed domains in the
USA, but the global reach of the .com/.net/.org TLDs does not make
this readily apparent.

> In my current (and now updated!) understanding, in all these cases I can
> never be sure to actually talk to the web site I wanted to?

Well, (HTTPS) web sites are authenticated via their X.509 certificates,
not their IP address.

> My conclusion so far: DNSSEC remains an illusion. Would that be correct?

No, DNSSEC is not an illusion, but deployment is around 3% of domains
globally.  However, signed domains are O(50%) for the .NL, .CZ, .PL,
.SE, .NO, .BR, .EU, ... TLDs.  The ".bank" and ".insurance" TLDs are
100% signed, but are not actively used by most registrants, who have
mostly just reserved the names.

Validation protects caches from poisoning with forged
data (as might easily happen via a BGP hijack) and protects the
integrity of DANE TLSA records, which are already used to protect
SMTP transport for ~330 thousand domains whose MX hosts have DANE
TLSA records.

DANE for SMTP is used by, e.g., web.de, gmx.de, freenet.de and
comcast.net, covering tens of millions of users.  DANE support is
available in the Postfix, Exim, Halon, PowerMTA, ... mail servers.

DANE is not presently supported by browsers, I'm working on removing


More information about the Unbound-users mailing list