SIDN sounds the alarm on DNSSEC security status of Dutch domain names

DNSSEC involves the cryptographic protection of domain name information. It makes the internet's 'signpost system' more secure and more reliable. If a domain name is secured with DNSSEC, people who want to visit the associated website are protected against being misdirected to a fraudster's IP address. Without DNSSEC, there's a risk that, despite entering the right domain name, people will end up on a fake site set up to trick them. DNSSEC also forms the basis for new applications, such as systems for making e-mail safer and easily sharing cryptographic keys for securing internet communications.

Elections 2017

With elections to the lower house of the Dutch parliament coming up on 15 March 2017, SIDN decided to include the domain names of political parties, information sites and research bureaus in its inventory. More than half (54 per cent) of the seventy-four domains covered by the inventory had DNSSEC security flaws.

Big improvement by government

A previous inventory in 2014 found that financial service providers, listed companies, government organisations and internet service providers were lagging a long way behind other sectors. Since then, the number of signed domain names in all the underperforming sectors has risen, but most remain disappointing compared with the pace-setters. Government organisations form an exception, however: they are doing much better than three years ago. Back then, just 11 per cent of government websites were secured. Now the figure stands at 59 per cent, putting the government third in the sector league table.“Banken zouden de belangrijkste gebruikers moeten zijn van DNSSEC-beveiliging, maar zij scoren voor de tweede keer op rij het slechtst van alle onderzochte domeinnamen. Met het sluiten van de fysieke bankkantoren en het verminderen van het aantal pinautomaten wordt de online voordeur van de banken steeds belangrijker. Bovendien hebben zij van alle bedrijven het meeste last van phishing en spoofing, iets waar DNSSEC in combinatie met DKIM en DMARC bescherming tegen kan bieden”, aldus Roelof Meijer, algemeen directeur SIDN.

DNSSEC status better

Over the last two years, various new safety applications have been rolled out, which piggy-back on the DNSSEC infrastructure. As a result, DNSSEC has gone from being a technology-driven expense to being an enabler for key security applications designed to tackle phishing, spamming, spoofing and other e-mail abuses.

In addition, the obstacles in the way of secure domain name transfers have recently been resolved. SIDN has developed a method that enables registrars all over the world to transfer domain names securely, by following a uniform procedure based on EPP (the Extensible Provisioning Protocol). Last week, the new method was formally adopted as a global standard by the Internet Engineering Task Force (IETF).

"Against that backdrop, it's hard to think of any good reason for not implementing DNSSEC protection," continues Meijer. "We believe that it's now up to the big internet service providers to act. It's really important that they get behind DNSSEC, because the protocol is only effective if ISPs commit to validating domain names' digital signatures. Late last year, XS4ALL took the plunge and became the first national internet service provider to enable DNSSEC validation."

For the DNSSEC Inventory 2017, SIDN analysed more than seven thousand domain names in four general sectors: financial services, the public sector, internet and telecom service providers, and listed companies. The analysis made use of the DNSSEC Portfolio Checker developed by SIDN labs.

Downloads