New incentives for security standards DNSSEC and DANE

Adoption of DNSSEC could do with a helping hand. Although the Netherlands leads the world in terms of the proportion of .nl domain names signed, the Dutch don't do nearly as well where validation is concerned. However, the new incentive scheme for DANE is expected to give DNSSEC a boost.

CDN provider Cloudflare recently published a blog explaining in accessible language how DNS cache poisoning works. The hack involves getting a caching resolver to retain a falsified domain name-IP address combination in its memory instead of the real combination. When an internet user tries to reach the domain in question, the resolver then directs them to the false address, where they might find themselves looking at a replica of their bank's website, for example.

Secure domain names

DNS spoofing is hard to pull off – certainly a classic Kaminsky attack of the kind described above. However, in view of the growing incidence and the serious implications of an attack, protection is vital to the maintenance of internet security. The answer to the problem is of course DNSSEC, where digital signatures are attached to 'true' DNS records so that resolvers know which data to trust. For a technical explanation of DNSSEC, take a look at the EURid webinar on the topic.

Adoption

Although Cloudflare is correct to say that DNSSEC isn't yet in general use, the Netherlands leads the world in terms of DNSSEC signing. Currently, 3.2 million (54 per cent) of the 5.9 million .nl domain names are signed.

SIDNLabs-DNSSECsigned-20190711

According to Paul Vixie, co-developer of DNS and DNSSEC, there's an increasingly urgent need for widespread DNSSEC implementation. "A lot of people [in the industry] are resisting turning it on because it means more work for them." Earlier this year, ICANN issued a renewed appeal for full implementation of DNSSEC on all domains. Their plea was prompted by a DNSpionage incident [1, 2], where the DNS infrastructures of dozens of public and private entities in the Middle east were compromised.

DNSSEC validation

In recent years, the adoption of DNSSEC in the .nl zone has been strongly promoted by offering registrars a discount on signed domain names. Details of the discount scheme and SIDN's other incentive schemes for registrars are given in section 7 of our earlier IPv6 inventory. When it comes to the validation of DNSSEC, however, a lot remains to be done in the Netherlands. According to the latest APNIC statistics, the country's validation rate of 22 per cent is significantly below the European average of 25 per cent.

APNIC-DNSSECvalidationNL-20190710
APNIC-DNSSECvalidationEuropaNL-20190710

Incentive scheme for DANE

This month, we launched an incentive scheme to promote DANE for mail in the .nl zone. Although the scheme doesn't directly address validation, but but focuses on the assurance (server) side, we expect it to give a fresh boost to DNSSEC generally, since DNSSEC is a mandatory feature of the DANE standard. That belief is backed up by Postfix developer Patrick Ben Koetter's observation that DNSSEC validation in Germany has been increasing rapidly since the start of a campaign to promote DANE validation in the spring.

APNIC-DNSSECvalidationDE-20190710

Support from service providers

Published recently by Forum for Standardisation, the results of the latest six-monthly Information Security Standards Survey show that, when it comes to implementing internet security standards, public bodies are dependent on large service providers. And, unfortunately, a lot of those providers don't yet support the standards. Microsoft customers, for example, have been calling for DNSSEC and DANE support to be added to the Azure and Office 365 [1, 2] cloud services for years. However, Microsoft has no plans to implement DNSSEC in the short term, meaning that moderators have the choice of doing without or looking elsewhere. Cloudflare and Google [1, 2] do support DNSSEC.

  • Wednesday 5 June 2019

    .nl domain name

    A professional e-mail address helps you succeed in business

    Thumb-screenshot-mailbox

    Professioneel adres wordt serieuzer genomen

    Read more
  • Monday 27 November 2017

    .nl domain name

    Enhanced SIDN website helps more people register .nl domain names

    Thumb-growth-chart-people

    Five thousand leads a month referred to registrars

    Read more
  • Monday 12 November 2018

    Internet security

    How to spot a fake URL

    Thumb-https

    Tips to spot a fake URL

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.