Unfortunately, the DNS isn't infallible. It's possible for crooks and pranksters to divert people to fraudulent websites by giving false IP address translations for domain names. That's because, when the translation of a domain name is requested, the traditional DNS will accept an answer that appears to be in order, without checking that it's genuine. Back in the nineties, a protocol was therefore developed to correct that weakness in the DNS. The name of the protocol is Domain Name System Security Extensions, or DNSSEC for short.
DNSSEC secures the DNS by making it possible to tell whether DNS answers are genuine. With DNSSEC, DNS answers are signed – like the important letters you get through the post, except that the signature is a digital code instead of ink. So, when your computer receives a message containing the IP address of the tax office website, it knows whether it can be trusted. And that means you can't be misdirected to a fake site.
Other security functions work better with DNSSEC as well. E-mail is a good example. For some time now, we've had standards that allowed the origin of an e-mail to be checked. One of those standards is DKIM, which, like DNSSEC, is on the list of technologies that government departments have to use unless they can give a good reason why they don't. If the zone that mail comes from is secured with DNSSEC, the authenticity of the messages can be verified more reliably.
In short, SIDN and lots of other experts think that DNSSEC is a protocol that everyone should use. Unfortunately, though, getting people to use it isn't easy.
Netherlands leads the way
Although the basics of DNSSEC were defined before the turn of the century, it was ten years before the protocol got off the ground globally. The main reason for people starting to take it up was a discovery made by US security expert Dan Kaminsky. He highlighted a number of vulnerabilities in the ordinary DNS, which DNSSEC could correct. In the summer of 2012, it became possible to use DNSSEC to protect .nl domain names. Since then, SIDN and the Netherlands' registrars (hosting service providers) have been working hard to get as many .nl domain names as possible signed with DNSSEC. As a result, the .nl domain leads the world in terms of the number of signed names.
There was another important development in 2012. In May, DNSSEC was added to the government's use-or-explain list, alongside technologies such as IPv6. What that means in practice is that all government departments and agencies have to use DNSSEC to protect their websites, or explain why they haven't. The initiative won international praise and was soon copied at the EU level.
Slow adoption by government
It's now four years since DNSSEC was enabled for .nl. Four years in which 2.5 million .nl domain names have been secured with DNSSEC. A good moment, then, to consider what's been achieved in terms of implementing DNSSEC within government. Sadly, the conclusion has to be that the forward-looking move made in 2012 hasn't been followed up. Of the twenty-three biggest government sites, only ten are secured with DNSSEC. There doesn't seem to be a clear policy: rijksoverheid.nl is signed, but politie.nl isn't.
So… why? Signing a domain name is nowadays common practice. And DNSSEC-related problems involving error messages and faults are extremely rare. What's more, DNSSEC is really important for getting other security standards, such as DKIM, adopted.
Making the internet more secure is a shared responsibility, and government departments and agencies can play their part by setting a good example. By adopting and making active use of open standards, the government can encourage others to follow suit and accelerate progress towards a secure internet for the Netherlands.
Do you have DNSSEC? Visit internet.nl to find out
Want to know whether your website is secured with DNSSEC? Easy: just visit internet.nl and do the test. If your website doesn't have DNSSEC protection, ask your hosting service provider to arrange it.
Signed and unsigned government domain names