Joining the DNSSEC Day in Germany

Published on June 30, 2015 09:05 UTC by GovCERT.ch (permalink)
Last updated on June 30, 2015 09:47 UTC

Today, our colleagues at the German Bundesamt für Sicherheit in der Informationstechnik (BSI) and the registry for ccTLD .de (DENIC) are hosting a DNSSEC day in Germany. The focus of the event are the benefits and use cases of DNSSEC for internet users and system administrators. We at GovCERT.ch would like to join our colleagues efforts in Germany and publish a blog post on the current situation of DNSSEC in the Swiss name space .ch. But before we start looking into the current situation within ccTLD .ch when it comes to DNSSEC, we want to make a short introduction to DNSSEC for those who are not familiar with the technology.

DNSSEC stands for Domain Name System Security Extensions and has been introduced in 1999 (RFC2535, which has been updated in 2005 - see RFC4034). The goal of DNSSEC is to implement authenticity and integrity in the DNS by taking advantage of digitally signing DNS records using public-key cryptography. If a domain owner (registrant) decides to implement DNSSEC for his domain name, he publishes a DNSKEY in the DNS and provides a Delegation Signer (DS) to his domain registrar. The DNSKEY is then being authenticated by a chain of trust using Delegation Signer Resource Records (DS records). Since the DNS is hierarchic, the whole chain must be authenticated and signed using DNSSEC.

So, what are the benefits of using DNSSEC? DNSSEC helps you to prevent man-in-the-middle attacks on the DNS layer and DNS cache poisoning. Besides that, DNSSEC also provides a secure ground that allows you making usage of further security mechanisms that rely on DNSSEC, such as DNS-based Authentication of Named Entities (DANE).

That all sounds nice, so we at GovCERT.ch decided to make a short survey on the current usage of DNSSEC within the Swiss name space (ccTLD .ch), checking 1'104'553 unique domain names registered within ccTLD .ch for DNSSEC support.

GovCERT.ch DNSSEC survey results (ccTLD .ch)
GovCERT.ch DNSSEC survey results (ccTLD .ch)

The chart above shows a statistical breakdown of the DNS responses. About 93% of all domain names we have queried are currently active (NOERROR), while only 0.30% domain names are signed with DNSSEC and have a valid DNSSEC signature. Another 5% of all queried domain names are currently not resolving (NXDOMAIN), while another 1.54% have some major DNS problems or an invalid DNSSEC signature. What surprised us in our survey is the fact that even many of the big and well-known websites in Switzerland are not supporting DNSSEC.

DNSSEC is a great way to make DNS more secure, so why are only a very few domain owners using this technology?

One of the main problem is the fact that, to have DNSSEC working, the whole DNS chain needs to support DNSSEC. This starts with the root zone, going down to the registry (ccTLD .ch), registrar and the DNS service provider, that needs to interact with the registrar's systems every time a DNS key is modified (added/changed/removed). While the root zone and ccTLD .ch have been supporting DNSSEC for many years, many Swiss registrars and DNS service provider are (still) not supporting DNSSEC yet, partly due to the complexity needed to run it properly, and partly due to a certain lack of standardization in communication protocols.

As long as we expect domain owners to run DNSSEC on their domains on their own, it's hardly going to get traction: you need quite a bit of knowledge about DNS to get DNSSEC working. For a webmaster that runs a website just in spare time, it might be too much effort or there is simply lack of knowledge. In order to have DNSSEC working, you need to change your DNSKEY / DS record at least once per year. This is another barrier for many webmasters. If you do it once and forget to update your DNSKEY / DS record, DNS resolvers that are using DNSSEC will no longer resolve your domain name and your website and mail server will not work anymore from certain places.

So, what's the solution? We at GovCERT.ch would like to encourage registrars and DNS service providers in Switzerland to implement DNSSEC in the medium term. In order to make the use of DNSSEC for people with no IT knowledge usable, its complexity should be hidden to them: the DNS providers' systems should take care of details like key generation, key rotation, DS record upload and so on. Let the users do just what they do now: manage entries inside their domains without knowledge of the complex parts involved.

Registrars and DNS service providers won't make more money whether they offer DNSSEC to their customers or not. But providers that are doing so are contributing an important part to the health of the Swiss cyberspace and making the internet in Switzerland more secure.

If you are a domain owner and you would like to figure out if your registrar supports DNSSEC, you may want to look at the following website:

More information about DNSSEC can be found here:

Back to top