[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029
Viktor Dukhovni
cryptography at dukhovni.org
Sat Apr 26 03:59:42 EDT 2025
On Sat, Apr 26, 2025 at 02:21:08AM +0000, Peter Gutmann wrote:
> As an interesting aside and speaking of said labs, the region with the best
> deployment of DNSSEC seems to be Africa, which also happens to be the region
> with the least Internet connectivity:
>
> https://stats.labs.apnic.net/dnssec
Actually, no, DNSSEC (zone signing) deployment is concentrated in Europe:
- Holland
- Switzerland
- Czech republic
- France
- Denmark
- Sweden
...
Plus a significant deployment in Brazil.
https://stats.dnssec-tools.org/#/?top=tlds&tld_tab=0
> Places like Guinea-Bissau and Uganda (and in fact most of the rest of Africa)
> have better DNSSEC deployment than the US and Canada. It'd be interesting to
> know why this is the case - one guess is that if there's very little there in
> the first place then just a small amount of DNSSEC makes a huge difference.
APNIC labs are measuring percentages of consumer requests that use DNSSEC
validating resolvers*, not zone signing. This results in stronger scores
in Africa, because much of the population of Africa are using mobile devices
with DNS by Google et. al., and land lines with legacy CPEs are scarce.
So DNSSEC validation is concentrated in more "modern" deployments, that
may be more likely to matter in the long run...
--
Viktor.
More information about the cryptography
mailing list