New incentives for security standards DNSSEC and DANE
A DNSSEC/DANE medley
Adoption of DNSSEC could do with a helping hand. Although the Netherlands leads the world in terms of the proportion of .nl domain names signed, the Dutch don't do nearly as well where validation is concerned. However, the new incentive scheme for DANE is expected to give DNSSEC a boost.
CDN provider Cloudflare recently published a blog explaining in accessible language how DNS cache poisoning works. The hack involves getting a caching resolver to retain a falsified domain name-IP address combination in its memory instead of the real combination. When an internet user tries to reach the domain in question, the resolver then directs them to the false address, where they might find themselves looking at a replica of their bank's website, for example.
Secure domain names
DNS spoofing is hard to pull off – certainly a classic Kaminsky attack of the kind described above. However, in view of the growing incidence and the serious implications of an attack, protection is vital to the maintenance of internet security. The answer to the problem is of course DNSSEC, where digital signatures are attached to 'true' DNS records so that resolvers know which data to trust. For a technical explanation of DNSSEC, take a look at the EURid webinar on the topic.
Although Cloudflare is correct to say that DNSSEC isn't yet in general use, the Netherlands leads the world in terms of DNSSEC signing. Currently, 3.2 million (54 per cent) of the 5.9 million .nl domain names are signed.
According to Paul Vixie, co-developer of DNS and DNSSEC, there's an increasingly urgent need for widespread DNSSEC implementation. "A lot of people [in the industry] are resisting turning it on because it means more work for them." Earlier this year, ICANN issued a renewed appeal for full implementation of DNSSEC on all domains. Their plea was prompted by a DNSpionage incident [1, 2], where the DNS infrastructures of dozens of public and private entities in the Middle east were compromised.
In recent years, the adoption of DNSSEC in the .nl zone has been strongly promoted by offering registrars a discount on signed domain names. Details of the discount scheme and SIDN's other incentive schemes for registrars are given in section 7 of our earlier IPv6 inventory. When it comes to the validation of DNSSEC, however, a lot remains to be done in the Netherlands. According to the latest APNIC statistics, the country's validation rate of 22 per cent is significantly below the European average of 25 per cent.
Incentive scheme for DANE
This month, we launched an incentive scheme to promote DANE for mail in the .nl zone. Although the scheme doesn't directly address validation, but but focuses on the assurance (server) side, we expect it to give a fresh boost to DNSSEC generally, since DNSSEC is a mandatory feature of the DANE standard. That belief is backed up by Postfix developer Patrick Ben Koetter's observation that DNSSEC validation in Germany has been increasing rapidly since the start of a campaign to promote DANE validation in the spring.
Support from service providers
Published recently by Forum for Standardisation, the results of the latest six-monthly Information Security Standards Survey show that, when it comes to implementing internet security standards, public bodies are dependent on large service providers. And, unfortunately, a lot of those providers don't yet support the standards. Microsoft customers, for example, have been calling for DNSSEC and DANE support to be added to the Azure and Office 365 [1, 2] cloud services for years. However, Microsoft has no plans to implement DNSSEC in the short term, meaning that moderators have the choice of doing without or looking elsewhere. Cloudflare and Google [1, 2] do support DNSSEC.