DNSSEC Validation in 2022: Africa Leads With Amazing Growth

Picture of Dan York
Dan York
Categories:
Technology
Twitter logo
LinkedIn logo
Facebook logo
March 10, 2023

African countries led the way in DNSSEC validation growth in 2022 with Namibia and Lesotho now validating 85% and 95% of all DNS queries and Morocco and Guinea validating over 80%.

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a protocol that adds an extra layer of security to the Domain Name System (DNS) by digitally signing DNS data. This prevents hackers from intercepting and modifying data when it’s transmitted, reducing the risk of attacks such as DNS cache poisoning.

There are two sides to DNSSEC: signing and validating. On the one side, DNS operators sign domain names cryptographically. On the other side, when you do anything online that uses domain names, the DNS resolver you use, often at your Internet Service Provider (ISP), performs DNSSEC validation to check whether DNSSEC signatures are correct.

For DNSSEC to provide its extra layer of security globally, we need both: domain names to be signed, and local DNS resolvers to be checking for those DNSSEC signatures.

For this post, I’m only going to focus on the validation side. If you look at our Pulse page on enabling technologies, you can see toward the bottom of the page a chart (Figure 1) that shows both signing and validation metrics in the same chart.

Graph showing the percentage of ccTLD registries with operational DNSSEC from 2012.
Figure 1 — Percentage of ccTLD registries with operational DNSSEC.

I want to dig into the green line on the bottom that represents validation and shows around 30% of all queries currently being validated. To do this, I will dive into DNSSEC validation data provided by APNIC Labs, one of our Pulse data partners.

Looking at their chart for global DNSSEC validation (Figure 2), we can see current validation levels are around 30%.

Graph showing the use of DNSSEC validation for the world since 2014.
Figure 2 — Use of DNSSEC validation for the world. (Source: APNIC Labs)

If you scroll down the page you can see the validation in regions around the world (click on a column heading to sort by that column). By clicking on those regions you can dive down into seeing how much validation is happening in a specific country and specific networks.

RegionDNSSEC ValidatesSamplesWeightWeighted Samples
World32.29%10,777,148110,777,148
Oceania42.74%92,6970.8679,836
Europe40.85%2,128,0180.731,562,147
Americas32.83%2,472,5440.781,925,800
Africa30.86605,4391.821,104,722
Asia30.05%5,478,4440.066,104,402
Unclassified0.15%4,0280.06233
Table 1 — Use of DNSSEC Validation per region as of 10 March 2023. Source: APNIC Labs.

What’s Behind the Amazing Growth In Africa?

Of all the regions, the greatest growth in DNSSEC validation can be seen in Africa, growing from a low of 17% at the start of 2022 up to 31% at the start of 2023 (Figure 3).

Graph showing increase in DNSSEC validation usage in Africa (2014-2023)
Figure 3 —Use of DNSSEC validation in Africa. (Source: APNIC Labs)

APNIC Labs provides a map that very nicely shows with the bright green where the highest percentage of validation is occurring.

Map of Africa showing DNSSEC validation use for each country.
Figure 4 —Map of Africa showing DNSSEC validation use for each country. Bright green shows where the highest percentage of validation is occurring. (Source: APNIC Labs)

Looking at some specific charts, you can see in Guinea a huge jump from around 5 to 7% validation at the beginning of 2022 to over 70% in early 2023.

Graph showing increase in DNSSEC validation usage in Guinea (2014-2023)
Figure 5 — Use of DNSSEC validation in Guinea. (Source: APNIC Labs)

Looking at the individual operators, you can see that several of the operators have had DNSSEC validation enabled since at least 2021, but the big change was when Orange (ASAS37461) started validating in September 2022 (Figure 6).

Graph showing the use of DNSSEC validation in ORANGE Guinea network
Figure 6 — Use of DNSSEC validation in ORANGE Guinea network (AS37461). (Source: APNIC Labs)

Morocco provides another interesting case study of what happens when large ISPs enable DNSSEC validation. As you can see in the overall Morocco chart (Figure 7), there was a huge jump in early 2021 from around 5% validation up to around 60%. And then in mid-2022, there was another big step up to around 80% validation.

Graph showing the use of DNSSEC validation in Morocco
Figure 7 — Use of DNSSEC validation in Morocco. (Source: APNIC Labs)

Digging into the specific networks, you can see that Maroc Telecom (ASAS36903) started doing validation in early 2021, corresponding to the first large step in the chart (Figure 8).

Graph showing the use of DNSSEC validation MT-MPLS network
Figure 8 — Use of DNSSEC validation MT-MPLS network (AS36903). (Source: APNIC Labs)

The second step can be seen when ASMedi (AS36925) enabled DNSSEC validation in mid-2022 (Figure 9).

Graph showing the use of DNSSEC validation in ASMedi network
Figure 9 —Use of DNSSEC validation in ASMedi network (AS36925). (Source: APNIC Labs)

Note the interesting aspect APNIC Labs’ data shows that ASMedi had previously been validating DNSSEC back in 2014-2016, and then for whatever reason stopped validating for six years until they turned it back on in 2022!

Lesotho also saw a similar step growth pattern to finish the year with over 95% validation, with Telecom-Lesotho validating more than 90% since 2021, and Vodacom-Lesotho joining in at the end of 2022.

Many other African countries also had excellent growth, including Cameroon, Namibia, Nigeria, Chad, and Madagascar.

In my next post, I will highlight the mixed changes we’ve seen in DNSSEC validation over the past year in North and South America.


Photo by Abdur Ahmanus on Unsplash