Majority of Dutch domains and internet users have DNSSEC security

DNSSEC signing in the Netherlands

When it comes to signing domain names, the Netherlands remains a world leader: by December 2022, nearly 60 per cent of all .nl domains were DNSSEC-enabled. Although the proportion of domain names that are DNSSEC-enabled continues to rise, it is now rising very slowly: 1 or 2 percentage points a year for the last four years.

https://images.ctfassets.net/yj8364fopk6s/2b8zHsZDyQkjXEhfhjbCgS/7346dd6e87330d18ae56c08ec76e666f/stats.sidnlabs.nl-DNSSECbeveiligd-20221206-EN.png

SIDN promotes the adoption of DNSSEC by offering financial incentives to registrars as part of the Registrar Scorecard scheme (RSC). By giving registrars a rebate on the cost of DNSSEC-enabled domains, we are trying to help tip the balance in favour of investment in DNSSEC. The DNSSEC incentive is now being scaled back in anticipation of its ultimate replacement by a broader scheme. From this summer, at least a certain percentage of a registrar's .nl domain names have to be DNSSEC-enabled for the registrar to qualify for any RSC incentive, such as those offered for e-mail security, IPv6 support and active use.

DNSSEC validation in the Netherlands

As of December 2022, roughly 60 per cent of all queries received by the authoritative name servers for .nl were from validating resolvers. Query traffic to the servers comes from resolvers not only in the Netherlands, but all over the world. The main sources were resolvers operated by the big cloud service providers: Google, Microsoft, Amazon and Cloudflare. Consequently, the biggest share of the query traffic (more than 25 per cent) was attributable to resolvers in the US, with only 10 per cent coming from resolvers in the Netherlands.

https://images.ctfassets.net/yj8364fopk6s/3sPTKJLK6Eu2uNL59EChQU/cf91cc308ce9c83f082eeb407c23a77b/stats.sidnlabs.nl-DNSSECqueries-20221206-EN.png

https://images.ctfassets.net/yj8364fopk6s/7D2KXaDwJMSCyPrjTLuNkk/582a9a77f05e4b32c3bbca0c44b32d70/stats.sidnlabs.nl-DNSSECresolverNetwerken-20220807-EN.png

https://images.ctfassets.net/yj8364fopk6s/1pT8G7bgFkpMaxxakRcKK4/96ec5fd8a711b1092eaa92802ec454ac/stats.sidnlabs.nl-DNSSECresolverLocations-20221206-EN.png

KPN supports DNSSEC, but Ziggo doesn't

When it comes to DNSSEC validation, the Netherlands lagged behind other countries for a long time. For Dutch internet users, the problem was that the 2 biggest access providers in the Netherlands, KPN and Ziggo, didn't support validation on their DNS servers. Although KPN finally enabled validation for KPN/Telford customers in 2020, VodafoneZiggo still doesn't support validation. Consequently, roughly 60 per cent of Dutch internet users now utilise validating resolvers.

https://images.ctfassets.net/yj8364fopk6s/5DVqp8ensDxctdx4bK9CSB/dd2388357fc820d971ea0800d0927809/stats.sidnlabs.nl-DNSSECresolverNLnetwerken-20221206-compleet-EN.png

https://images.ctfassets.net/yj8364fopk6s/3Zty47erq7Fr75yrBpmPhU/098c1814f57bb52aabe481c939fc8392/APNIC-DNSSECvalidationNL-20221206.png

https://images.ctfassets.net/yj8364fopk6s/7AfiaBOmZRqGKBMoCbJRB2/eaeb6e41e2d390a342b16353190bd606/APNIC-DNSSECvalidationKPN-20221206.png

https://images.ctfassets.net/yj8364fopk6s/3cXgSNqzOct00oJoI9A51Q/e9319212a6f4579333af5c2d043fdfee/APNIC-DNSSECvalidationVodafoneZiggo-20221206.png

DNSSEC signing worldwide

While the adoption of DNSSEC is now proceeding relatively well in the Netherlands, the global picture is much less rosy. Usage of DNSSEC within top-level domains (i.e. the signing of domain names) is particularly disappointing.

ICANN made DNSSEC support mandatory on 1 January 2014, meaning that at least all new gTLDs have since been required to support this security technology.

As of December 2022, DNSSEC (signing) is supported by more than 90 per cent of all ccTLDs. Turkey is a notable exception, however. As the following map shows, it is mainly ccTLDs in the Balkans, Africa, the Middle East and Central Asia that don't yet support DNSSEC.

https://images.ctfassets.net/yj8364fopk6s/3ovMRCMnTRRwPFkutj40uv/6d09badf8d716ef0ec6771505ec05211/ISOC-Pulse-DNSSEC-20221208.png

DNSSEC use within TLDs

Usage of DNSSEC within the TLDs varies enormously and is highly dependent on:

• Financial incentivisation by the registry

• Where ccTLDs are concerned: the number of major access providers active in the region and their policies

• Government policy on modern internet security standards in general and DNSSEC in particular

The graph below shows the development of DNSSEC in the European ccTLDs with the best adoption rates, as of August 2022. Like the Dutch .nl zone, the Czech (.cz), Norwegian (.no) and Swedish (.se) zones all have adoption rates exceeding 50 per cent, as does the .nu domain, which is popular in the region. Notable climbers include Switzerland (.ch) and Denmark (.dk).

https://images.ctfassets.net/yj8364fopk6s/12JnSQ8oVt3pfd5bxgZgKq/7cca57394e51aeb5fdb79c98c942f4f5/diagram_grouped-screenshot2.png

Financial incentive

For some years, SIDN has been a major contributor to development of the DNSSEC standard, as have the Swedish registry Internetstiftelsen and the Czech registry CZ.NIC. SIDN has also supported the development and deployment of DNS(SEC) software by various direct and indirect means: the widely used packages PowerDNS [1, 2], Unbound, NSD and OpenDNSSEC were all developed in the Netherlands, for example.

CZ.NIC has pursued similar policies with the development of Knot DNS, Knot Resolver and the DNSSEC/TLSA Validator (the last of which is no longer being updated).

Most importantly, however, the Swedish, Czech and Norwegian registries, like SIDN, operate financial incentive schemes; a similar scheme now also applies to the .nu zone, which is operated by the Swedish registry.

The influence that active registry involvement and incentivisation have on the adoption of DNSSEC is underscored by the extension's use – or lack of it – in the international gTLDs .com, .net, .org and .info: in all those zones and many others, DNSSEC is barely used at all.

DNSSEC validation worldwide

Globally, roughly 30 per cent of internet users were using validating resolvers in December 2022. However, after being stalled by COVID, adoption has increased by 5 percentage points over the last year.

https://images.ctfassets.net/yj8364fopk6s/6pJMKoN5oXoU6JuqDY9Kqi/2d16910af69972d80a6c1d01896f4859/APNIC-DNSSECvalidationWorldXA-20221206.png

In Europe, use of DNSSEC validation is now above 40 per cent, and adoption has accelerated over the last year.

https://images.ctfassets.net/yj8364fopk6s/KVa1WLeRi0R8zO7RiKgCB/3d47544e004cf16837a9bf5a4a7cea42/APNIC-DNSSECvalidationEuropeXE-20221206.png

The Netherlands and its neighbours

With an adoption level of roughly 60 per cent, the Netherlands is now finally on a par with neighbouring countries where DNSSEC validation is concerned. The Scandinavian countries are doing considerably better, while the South European nations and GB/IE are a good way behind us.

https://images.ctfassets.net/yj8364fopk6s/33G7mG2tflUs9PDasYcZmS/58f5f3bb7ee50100df41d82a411d6413/APNIC-DNSSECvalidationEuropeXEmapNL-20221206.png

Not insecure, but vulnerable

Although the original DNS is not currently insecure, it is vulnerable. DNS is one of the oldest internet protocols still in use. Yet the technology to secure it was developed relatively recently.

For a long time, there was little incentive for security, because attack methods [1] were not easy to execute and/or relatively easy to counter, and in practice rarely happened. However, after a prolonged period of relative calm on the DNS front, new attack methods have been published in recent years [1, 2].

The best defence against such 'cache poisoning' attacks is DNSSEC. However, the effectiveness of DNSSEC does depend on universal adoption.