DNSSEC Validation in 2022: Canada and USA in Decline
Published in Technology. Tags: Canada, dnssec, North America, South America, USA.
In my first post in this series, I highlighted the amazing growth of DNSSEC validation in countries within Africa.
In this post, I’ll jump across the Atlantic Ocean to highlight the mixed changes we’ve seen in DNSSEC validation over the past year in North and South America.
Growth continues in South America, with Guyana, Venezuela, and Argentina all making significant gains in 2022. DNSSEC validation in Caribbean networks grew from 20 to 25%, while Central American networks grew a couple of percentage points.
But in North America, we saw a decline in DNSSEC validation from nearly 40% at the start of 2022 to around 32% by year-end.
Some of this decrease can be attributed to a 5% decrease (from 40% to 35%) in the USA.
The USA is an example of where the DNSSEC validation is happening largely because of one very large ISP — Comcast. If you look at the table showing the top 20 networks from which APNIC Labs receives samples, Comcast is the only network doing significant DNSSEC validation until you get down to number 16 in the list.
Given that Comcast is the largest ISP in the USA, this is largely what gives the USA its 35% overall validation rate. At this time the other large mobile providers (AT&T, T-Mobile, Verizon) are not validating, nor are other large cable providers such as Charter, Cox, and Time Warner.
The drop for North America though is mainly attributed to Canada where DNSSEC validation declined almost 50% — the blue line in Figure 3 tells the story.
There were small declines in several ISPs, such as Xplornet dropping from 30% to 10% validation. But the largest drop was from Cogeco Communications where they had been validating up to around 95 to 98% of all queries since 2018. Then, in December 2022, they seem to have just turned it off! 🤷 Note, they aren’t responsible for the entire decline. As you can see in Figure 4, theirs was a sudden drop (blue and yellow lines) while country totals (green and purple lines) were declining over the whole year. Hopefully, Cogeco Communications will turn DNSSEC validation back on soon.
Canada’s challenge is that its largest ISPs are not validating DNSSEC. You have to go down to #9 on the list (Figure 5), where SaskTel has been doing an awesome job validating DNSSEC since 2020. But unlike the USA, where Comcast is leading the industry, none of Canada’s largest ISPs seem to be taking DNS security seriously.
As an aside, given all our work with low Earth orbit (LEO) satellites last year, I was pleased to see SpaceX’s Starlink network in Canada coming in with close to 99% validation.
All in all, though, the story of North America is that the USA and Canada need to get more of their larger ISPs to start validating DNSSEC.
What About Europe and Asia?
At a high level, Europe ended 2022 slightly above where it began thanks to some positive movement in Italy and Russia but declines in France and the UK.
Similarly, Asia recorded a slightly higher average over 2022, although there’s been an increase in early 2023 with Bangladesh making a solid step, and Iran making a huge jump.
I’ll explore the details of these in my next post.