The state of DNS security records 2020

Not quite the third year running, but a third edition at least. This years state of DNS security records survey has seen a few changes – so is a bit of a transition report. I’ve dropped all of my self generated lists, except for DoH providers, in favour of more robust lists. I’ve also got a new generation of my domain quality tool in the works. This report was produced using the new version of the tool as it produces more reliable results, captured more data and is a tad more efficient allowing me to increase my sample size. TLDR: Summary The adoption rates of security related records provisioned continues to stagnate, though I suspect the drops from 2017 may be artefacts of improved methodology and larger sample size. Comparing just to last year any gains made are marginal at best. Despite all the attention DNS security has got this… Continue reading

IPv6 with Zen internet and Ubiquiti

Having recently moved over to a Ubiquiti UDM for my home router I wanted to get my IPv6 connection back and working. Searching for advice on how to do this there were quite a few articles describing the trials and tribulations involved in getting things working. It turns out that with the latest firmware release getting IPv6 working is really very easy. Unfortunately nothing in the management UI actually lets you know it’s working. So even if you have it configured correctly you’ll only be able to tell by checking if you can reach things via IPv6. So to help anyone else who was in my position here are the really very simple instructions for configuring IPv6 on a UDM running firmware 1.8.3 with Zen Internet. Continue reading

The state of DNS security records 2019

Record type occurence

My recent search for DNS hosting, reminded me that it’s been a while since my first state of DNS report. I had meant to do it every year so this is a bit late, I should probably set myself a reminder. At this point lets just say I missed 2018 and this is the 2019 report and I’ll try to remember for 2020. TLDR: Summary The deployment of security records in DNS has got slightly worse. The average score (out of 10) based on deployment of CAA, DKIM, DMARC, DNSSEC and SPF was 2.48 in 2017 , the same records checked today averaged 2.15 with this years data set averaging 2.42. Two data sets where used this year, the 2017 lists and updated lists taken from the same sources. Usage of IPv6, SPF and DMARC have seen significant decreases across both sets of data, off set only slightly by the… Continue reading

The state of DNS security records 2017

These days there are quite a few security initiatives that depends upon DNS, and to keep those secure you need to implement DNSSEC. Many people across the board from Google, to security advisory firms are encouraging the uptake of these initiatives many of which are getting quite long in the tooth (SPF is over a decade old). However, I’ve for a long time thought that many of these “enhancements” are far from trivial to implement, if you’re a small operator it’s a lot of work for small gains, and if your large then unless you can automate it it’s just not viable. Looking at implementing many of these enhancements myself, and the work involved I started wondering what deployment looked like amongst other people, so I thought I’d do a quick survey and on the whole it’s not a pretty sight. From my far from scientific survey the only thing… Continue reading