The state of DNSSEC provisioning automation

Research into DNSSEC has shown that the adoption of DNSSEC has been quite slow so far. To make DNSSEC easier to deploy, RFC 7344 and RFC 8078 were released which specify provisioning automation for DNSSEC. How­ever, there is a lack of research into the current state of provisioning automation. This paper will look into the support for provisioning automation in three areas. First of all, software support is analyzed. Here, the research shows that scanning for provisioning automation records is still limited, but there are already some open-source implementations available. For operators of second-level domain names, most authoritative DNS software feature some form of support for publishing provisioning automa­tion records. Second, support for provisioning automation at the parent side will be analyzed, where the focus will be put on TLD registry support. Here, the research shows that parent side support is still very limited. However, multiple registries and a registrar have signalled support for provisioning automation in the future. Third, daily snapshots of DNS zones were analyzed to investigate provisioning automation support at the child side. Here, the research shows that very few domains currently use provisioning automation. Additionally, some misconfigurations are brought to light. Finally, a general conclusion is drawn on the current state of DNSSEC provisioning automation.