Economic incentives on DNSSEC deployment: time to move from quantity to quality

The security extensions to the DNS (DNSSEC) currently cover approximately 3% of all domains worldwide. In response to the low deployment of DNSSEC, a few top-level domains started offering 'per-domain' economic incentives to encourage adoption of the protocol by offering a yearly discount on each signed domain. However, it remains unclear whether these incentives are well-balanced and foster the overall security of the infrastructure as well as its deployment at scale. In this paper we argue that, in the presence of fixed costs of deployment, misaligned 'per-domain' incentives may have the collateral effect of encouraging large operators to massively deploy unsecure implementations of DNSSEC, whereas smaller operators, for which the effect of the economic incentive is negligible, may not significantly benefit from it. To investigate this, we study the security of DNSSEC deployment at scale, particularly in TLDs that offer economic incentives. We find that the security of DNSSEC implementations in the wild poorly reflects standard recommendations, particularly for tasks that cannot be solved by triggering a flag in the DNS software service (e.g. key rollover). Further, we find that, on average, large operators deploy weak DNSSEC security more frequently than small DNSSEC operators, suggesting that current incentives are ineffective in promoting a secure adoption and in deterring insecure implementations. We conclude the paper with actionable recommendations for TLD registry operators to improve the alignment of economic incentives with secure DNSSEC requirements.