DNSSEC-inventarisatie, februari 2017
Slow adoption by banks and internet infrastructure operators give cause for concern
6 March 2017
46 per cent of .nl domains are now signed. The percentage continues to rise, but the rapid early growth curve has flattened off. SIDN's incentive scheme has had its intended effect.
We are currently seeing the rise of new security applications implemented on top of the cryptographically secured DNSSEC infrastructure:
DKIM, SPF and DMARC for fighting phishing and spoofing,
DANE to bring the much-needed extra security of TLS certificates to web and mail traffic.
As a result, DNSSEC has gone from being a technology-driven cost item to an enabler for important security applications.
Although the general increase in the proportion of domain names that are DNSSEC-enabled is reflected in almost all of the surveyed segments, significant differences remain.
Government bodies head the latest adoption rankings, with 59 per cent of their domain names now signed. That is mainly due to DNSSEC being added to the 'use-or-explain' list maintained by the Forum for Standardisation and to the launch of the Internet.nl portal.
Although we believe that banks should be among the main users of DNSSEC, banking proved to be the poorest adopter of the segments in our survey.Just as we found two and a half years ago, only a handful of banks have signed their domain names. With high street branches closing and the number of ATMs in decline, the internet is increasingly important as the banks' 'front door'. What's more, no industry is more threatened by phishing, which DNSSEC can help protect against, when used in combination with DKIM.
Mobile telecom firms, access providers, service providers and others responsible for the data transmission backbone also come out of the survey badly. Only a small proportion of them have signed their domain names. Validation levels are disappointing as well: the country's two biggest access providers (KPN and Ziggo) don't perform DNSSEC validation for their customers. The survey findings are therefore completely at odds with the positioning of the internet industry as the Netherlands' third main port, alongside Schiphol airport and Rotterdam sea port
DNSSEC is a cryptographic security system for the DNS, the internet's address book, where domain names are translated into IP addresses (and vice versa). With DNSSEC, a digital signature is attached to the DNS information (records) that the server sends to the client (a resolver), so that the client can check its authenticity.
DNSSEC is a forward-compatible extension to the DNS protocol. That means that resolvers and name servers can interact without difficulty, regardless of whether they support DNSSEC. However, the security system is effective only if both support DNSSEC. That involves the domain name being signed (on the server side) and the digital signatures being verified (on the client side). Only then is the integrity of the name server assured and the transmission of DNS information secure.
A lot of the interaction that businesses have with their customers, partners and suppliers has already moved to the internet. Government bodies and other organisations also make increasing use of the internet to communicate with each other and with the public. Against that background, it's really important to have a secure digital entrance. On-line visitors need to know that they're dealing with a trustworthy brand or organisation. An insecure internet service — or, even worse, a security breach — can cause reputational, commercial and financial damage.
If a hacker interferes with a name server's DNS information before it reaches the client, the client can be directed to a fake server. It's then possible to trick visitors into giving passwords and other confidential information, and to obtain money and business by deceit. DNSSEC assures the integrity of the name server and secures the transmission of DNS information. So a provider of internet services can be sure that visitor traffic is not misdirected.
In recent years, SIDN has made a major commitment to promoting DNSSEC, a protocol for adding cryptographic security to domain name information. That began in 2010 with the signing of our own .nl top-level domain and the Friends & Fans Programme, which enabled early adopters to provide their domains with digital signatures. The big breakthrough came two years later, when registrars were offered financial incentives for signing domain names.
As of 8 February 2017, 2,595,754 (46 per cent) of the 5,701,008 .nl domain names had been signed. The percentage continues to rise, but the rapid early growth curve has flattened off. In the last two years, there have been no more major DNSSEC projects where registrars signed domain names in swathes numbering hundreds of thousands. All registrars with very large portfolios of .nl domains have now adopted DNSSEC; in that respect, the incentive scheme has done its job.
However, the last two years have also witnessed increasing use of new security applications implemented on top of the cryptographically secured DNSSEC infrastructure: the trio of DKIM, SPF and DMARC, which combat phishing, spamming, spoofing and other e-mail abuses, and DANE, which brings the much-needed extra security of TLS certificates to web (padlock icon) and mail traffic.
DNSSEC and DKIM have been on the Forum for Standardisation's 'use-or-explain' list for some time. As a result, government organisations are more or less obliged to implement the two standards when upgrading their systems. More recently, STARTTLS and DKIM for mail have been added to the list as well. The arrival of the Internet.nl portal, where domain names can be checked to see whether they are using modern, secure internet standards, is part of the same trend.
The implementation and use of new applications that utilise the DNSSEC infrastructure has significantly altered the position of DNSSEC: it has gone from being a technology-driven cost item to an enabler for important security applications.
Ultimately, the value of DNSSEC is realised only if domain name signatures are validated by visitors and other users. Validation and signing are complementary processes, both of which are necessary for utilisation of the cryptographically secured DNSSEC infrastructure. The dependence of each on the other creates a chicken-and-egg problem for the DNSSEC world.
In the past, organisations that handled their own DNS management were often reluctant to adopt on the grounds that very few internet access providers supported validation. Although we are still waiting for the country's two biggest players (KPN and Ziggo) to come on board, numerous internet access providers (including XS4All, BIT and Edutel) do now offer their customers validation services. Some of the providers in question have explicitly told customers about DNSSEC support, with the result that the implementation of DNSSEC has acquired commercial value.
Although SIDN has no direct relationship with the internet access providers (except insofar as some are also registrars), it has sought to promote DNSSEC validation. For example, SIDN has participated in the Internet.nl portal project and the recent launch of the Valibox, a device that enables end users to implement wireless DNSSEC validation on their home/office networks.
The relatively large number of bogus domain names in the .nl zone, which was a major early deterrent to validation, has long since been resolved.
DNSSEC survey, February 2017
With a view to building a more detailed picture of the secure domain name landscape, we have analysed the use of DNSSEC within various economic sectors. One would hope and expect that organisations operating in the industries where security, credibility and trust are most important would be more likely to sign their primary domains than those active in other fields.
The survey was based on twenty-seven lists of domain names, partly compiled by hand and partly obtained from organisations representing the sectors in question. As such, its scope was much wider than the first survey, undertaken in autumn 2014.
When defining segments for analysis, we focused particularly on those where we felt that the security offered by DNSSEC was most important. Examples include banking, internet retail, corporates, government organisations and news media. We also felt that the internet and telecom service industries could be expected to play a lead role. After all, they have networking and security-related expertise and the opportunity to offer DNSSEC services to customers.
Once the various segments had been defined, we measured the percentage of signed domain names in each. That was done using the DNSSEC Portfolio Checker developed by SIDN Labs.
In the table below, the results for the various segments are presented, grouped under four general sector headings. The key data are the segments and the corresponding percentages of signed domain names. Click a segment name for details of the surveyed domains and associated findings.
|Financial service providers|
|Independent administrative authorities||69||20||29%|
|Health care institutions||219||55||25%|
|Research organisations (NARCIS)||1008||239||24%|
|Internet and telecom|
|Internet access providers||24||7||29%||27||2||7%|
|Internet service providers||79||18||23%|
|Internet infrastructure providers||39||25||64%||42||16||38%|
|Small independent retailers||2155||626||29%||2044||480||23%|
As the table above shows, there are still considerable differences between segments. Nevertheless, the general rise in the percentage of DNSSEC-enabled domain names in the .nl zone as a whole is clearly reflected in the individual segments (where the survey included a small number of non-.nl domains).
Two years ago, financial service providers, corporates, governmental bodies and internet access providers were lagging well behind, but the picture has since changed considerably. Government bodies are now near the top of the rankings, with 52 per cent of their domain names signed. That is mainly due to DNSSEC being added to the 'use-or-explain' list maintained by the Forum for Standardisation and to the launch of the (open access) Internet.nl portal.
Internet and telecom
Only specialist organisations involved in the development and maintenance of the internet in the Netherlands — including SIDN — remain ahead of the government, with a score of 64 per cent. Internet access providers (IAPs) and internet service providers (ISPs) occupy mid-table positions, with 29 per cent and 23 per cent respectively. The IAPs have nevertheless improved considerably: two years ago, only 7 per cent had signed domain names.
However, the large concerns responsible for parts of the nation's internet infrastructure and connections with the rest of the world remain slow adopters.
None of the four mobile telecom service providers (KPN, T-Mobile, Tele2 and Vodafone) have signed their domain names. The 33 per cent scored by their subcategory is somewhat misleading, insofar as the subcategory includes RTV transmitter operator Alticom and the Telecom Agency (the supervisory authority), both of whom have signed their domain names.
The companies responsible for the data transmission backbone also stand out as scoring badly: members of the Amsterdam Internet Exchange (AMS-IX) and NL-ix hubs have signed just 7 per cent and 17 per cent of their domain names, respectively. That is completely at odds with the positioning of the internet industry as the Netherlands' third main port, alongside Schiphol airport and Rotterdam sea port [1, 2, 3].
Financial service providers
As well as failing to improve on their last-place ranking of two years ago, the banks have made no progress whatsoever with DNSSEC adoption in the interim. Only a handful (ASN, ASR, DHB and Interbank) have signed domain names: exactly as the situation was at the time of the last survey. The explanation given then by the Dutch Payments Association — that the technology was not sufficiently mature and there were not enough validating internet access providers — gave little hope for improvement.
However, we believe that banks should be among the main users of DNSSEC. With high street branches closing and the number of ATMs in decline, the internet is increasingly important as the banks' 'front door'. What's more, no industry is more threatened by phishing, which DNSSEC can help protect against.
By contrast, companies in the insurance and pensions industries have made considerable progress in the last two years, moving from the bottom of the rankings to the middle.
Big strides have been made by government organisations as well. Having lagged well behind two years ago, they are currently amongst the leading adopters of DNSSEC. That is clearly down to changes in security policy. Four years ago, DNSSEC was added to the 'use-or-explain' list maintained by the Forum for Standardisation. More recently, STARTTLS and DKIM for mail have been added to the list as well. As a result, government organisations are more or less obliged to implement the two standards when upgrading their systems.
Furthermore, the Forum for Standardisation established the Internet.nl portal last year. The portal allows anyone to check whether a domain name -- their own or someone else's -- uses modern, secure internet standards.
Media reports about the lack of security associated with municipal websites recently prompted interior minister Ronald Plasterk to announce that all Dutch municipalities would have to sign their domain names by the end of 2017. Only 19 per cent have in fact been signed so far, so a lot needs to be done next year if that requirement is to be met.
A notable climber is the research segment, where the proportion of signed domain names has gone from 9 per cent to 30 per cent. SIDN has helped to promote adoption within the segment by supporting five research centres with the implementation of DNSSEC as part of the Campus Challenge in the summer of 2014.
In the Netherlands' commerce sector, the percentage of signed domain names has merely crept up. Listed companies, small independent retailers and news media have all made very modest progress. With just 10 per cent of their domain names signed, listed companies continue to perform very badly.
The explosive growth of DNSSEC amongst small independent retailers has now plateaued. At the time of the last survey, the growth was being driven by large registrars signing domain names in great swathes in order to benefit from SIDN's incentive scheme. That automatically boosted DNSSEC adoption amongst small businesses, because many of them leave everything relating to their websites to their service providers.
All registrars with very large portfolios of .nl domains have now adopted DNSSEC and the rapid growth phase has therefore ended. In that respect, the incentive scheme has done its job. The pattern of steady growth that we are now seeing is mainly down to medium-sized and small registrars and companies, who typically implement DNSSEC when upgrading their DNS infrastructures.
Large companies in general, and bank and telecom companies in particular, are well known for being slow movers. They are also much bigger users of Infoblox appliances than other organisations. The Infoblox DNSSEC implementation is seriously outmoded, and that may be adding to corporates' reluctance to sign their domain names for the time being.
Looking at the broader picture, all the sectors that we believe have most to gain from DNSSEC have below-average rates of adoption (the average being 45 per cent). Adoption amongst banks — the registrant group with seemingly the greatest reason to secure their internet access portals and protect their customers — is worst of all. Banking is also the only surveyed segment to have made no progress at all in the last two years.
Across the surveyed sectors collectively, the percentage of domain names that are signed has risen sharply over the last two years. Within the segments that we believe have most to gain from using DNSSEC, the percentage has risen in line with the general trend.
However, like the previous survey, the new survey highlighted major differences between sectors. Generally speaking, small businesses (automatically) come out of the survey better than large corporations, because many of them leave everything relating to their websites to their service providers.
Obvious exceptions, in opposite ways, are government bodies and banks. Government bodies are now near the top of the rankings, with 52 per cent of their domain names signed. By contrast, banking is the only industry to have made no progress at all since the previous survey. Very few of the surveyed banks have secured their domain names with DNSSEC.
Adoption by the internet and telecom sector is also revealed as disappointing. While IAPs and ISPs are now in the middle of the rankings, mobile telecom service providers and the companies responsible for the data transmission backbone continue to perform very badly.
In our view, the low adoption levels in such key sectors are a cause for concern. With high street branches closing and the number of ATMs in decline, the internet is increasingly important as the banks' 'front door'. What's more, the banking industry is more threatened than any other by phishing, which DNSSEC can help protect against.
The poor DNSSEC status of the large companies responsible for parts of the nation's internet infrastructure and connections with the rest of the world is completely at odds with the positioning of the internet industry as the Netherlands' third main port, alongside Schiphol airport and Rotterdam sea port.