Home / News

Study Assesses Potential Impact of DNSSEC on Broadband Consumers, Results Not Good

Recent collaborative test by Core Competence and Nominet have concluded that 75% of common residential and small SOHO routers and firewall devices used with broadband services do not operate with full DNSSEC compatibility “out of the box”. The report presents and analyzes technical findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers. Included in its recommendations, the report suggests that as vendors apply DNSSEC and other DNS security fixes to devices, consumers should be encouraged to upgrade to the latest firmware.

The full report can be downloaded here [PDF].

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Not really seeing the issue... Dave Howe  –  Sep 16, 2008 6:52 PM

Sure, dns poisoning is a major vulnerability, but most residential users should be restricting dns traffic purely to their isp or other dns provider - they shouldn’t be walking the dns tree anyhow, so the odds of an attacker being able to spoof a reply to their query is pretty low. Provided the ISP (or other provider) has a clean resolver, their own feed should also be clean.

Yes, the customer will be talking to Carl Byington  –  Sep 17, 2008 12:52 AM

Yes, the customer will be talking to their provider’s dns server, but eventually those questions will be asking for dnssec answers, and it is those dnssec answers that may or may not make it back thru the residential gateway proxy to the internal machine that asked the question.

of course... Dave Howe  –  Sep 17, 2008 7:45 AM

but those *answers* don’t have to be DNSSEC. DNSSEC should be applied at the provider level, not at the consumer level - once the ISP has a (known good, DNSSEC approved) answer, it can serve that to its customers using normal DNS. DNSSEC is a painful protocol anyhow, and requires you to be able to do digital signatures (in its rfc form - fixed admittedly in some of the draft replacements - it also allows you to walk a zone and effectively perform a zone transfer, something we have been locking down on in recent years as it just makes life too easy for certain types of attacker)

End-user DNSSEC responses Ray Bellis  –  Sep 17, 2008 10:15 AM

It’s not expected that ISPs’ recursive resolvers will unilaterally reject DNS responses that fail DNSSEC validation.

Usually they would only do this if the client (i.e. stub) has indicated that it is security aware by setting the “DO” bit.

However our study did determine that some of the routers couldn’t correctly pass the “DO” bit.  Others also had problems returning the “AD” bit that signifies successful validation.

Clarification Ray Bellis  –  Sep 17, 2008 4:07 PM

Ok, that was incorrect.

Validating recursors will only set the AD bit in the response if the request contained the DO bit.

However it is allowable (indeed expected) that an upstream resolver can return SERVFAIL if a domain fails DNSSEC validation, according to the ISP’s locally configured policy.

However if the client wants to use a different policy, they must either run a fully validating caching resolver locally, or “forward” (in the DNS sense) their queries to an upstream recursive resolver with the DO and CD bits set.

The former configuration potentially suffers from Kaminsky-style cache poisoning attacks due to poor NAT source port randomisation.  The latter approach would be affected by the DNSSEC flag compatibilities highlighted in our report.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign