202010.20

The deployment of the DNSSEC protocol

by

Originally, the DNS ignored insidious security issues that might arise. This results in vulnerabilities, intrinsic to the DNS, which favor attacks of different types. It is legitimate to fear, in particular, the following types of attacks:

  • “Man in the Middle”;
  • cache poisoning; or
  • Distributed Denial of Service (DDoS).

As a result, domain name holders may experience traffic diversions, fraudulent domain name hijacking, or phishing. As for Internet users, they are also exposed to criminal interference because they run the risk of being redirected to fraudulent sites, often built to steal their data (passwords, e-mail addresses, bank identifiers, etc.). ), for example by distributing malware.

The current threat is such that, on February 15, 2019, the Internet Corporation for Assigned Names and Numbers (ICANN) urged all stakeholders (registries, registrars and others) to be extremely vigilant. ICANN is the sprawling international institution whose mission is to maintain the security, stability, and interoperability of the Internet. In other words, ICANN is the governing body of the DNS. At the top of the list of urgent security precautions, ICANN is urging registries and registrars to fully deploy the Domain Name System Security Extensions (DNSSEC) technology. As for the most concerned stakeholders, domain name owners, they are strongly advised to migrate to registrars of domain names that offer the DNSSEC protocol. For ICANN, these measures must be taken immediately.

The DNSSEC protocol, which has been standardized by the Internet Engineering Task Force (IETF), makes it possible to overcome, to a large extent but not 100%, the vulnerabilities of the DNS. The DNSSEC technology consists of a validation process (called “DNSSEC Signed”) at the root level (managed by ICANN), the top-level domain or TLD (managed by the registry) and the domain name (managed by the registrar). In the end, this process generates an authentication chain. The resulting chain of trust greatly improves data security and, correspondingly, significantly reduces the risk of malicious acts. A registry or registrar is said to be signed when it has been enhanced with the DNSSEC technology. Large-scale adoption of the DNSSEC protocol can significantly improve the robustness of the DNS.

However, the deployment of DNSSEC remains relatively low, despite the considerable and ongoing efforts of the ICANN Security and Stability Advisory Committee (SSAC), the Registry Internet Safety Group (RISG), the Computer Emergency Response Teams (CERTs) and the Internet Society Deploy360, as many bodies that promote it, including through awareness campaigns and training.

At the level of second level domains (SLD), everyone agrees that it is very difficult to obtain statistics that reliably establish the percentage of domain names signed with the DNSSEC protocol (see ISOC, State of DNSSEC Deployment 2016, Dec. 2016, p. 17). It must be remembered that not all registrars offer DNSSEC. To date, the SSAC recommends not to disclose the names of registrars that do not provide DNSSEC on a systematic basis. However, the SSAC does not exclude this possibility for the future:

We do not, at this time, recommending registrars’ names be published or not” (ICANN, Advisory on the ICANN Security and Stability Advisory Committee, SAC074, Nov. 3, 2015, Recommendation 1, p. 4).

In a key study published in 2017, a group of researchers led by Taejoong Chung came to the conclusion that “DNSSEC support [is] quite low among the most popular registrars” (T. Chung et al., 2017. Understanding the Role of Registrars in DNSSEC Deployment. In Proceedings of IMC ’17, London, United Kingdom, November 1–3, 2017, 14 pages, see para. Summary 5.3).

At IP Twins, security is our main concern.

To date, the 2013 Registrar Accreditation Agreement (“2013 RAA”) does not require registrars to systematically offer the DNSSEC protocol. At the very least, Article 3.20 requires registrars to notify ICANN of any security incidents. However, according to the annex entitled “Additional Registrar Operation Specification”, a Registrar must authorize its customers to use DNSSEC upon request.

At the TLD level, since 2012, ICANN has required all gTLD registries to incorporate the DNSSEC protocol. This requirement does not apply to gTLDs created prior to 2012, but apart from .AERO, there is no gTLD that is not secured by DNSSEC. In fact, it is the ccTLDs that are causing concern. Indeed, there are many ccTLDs registries that have not yet adopted the DNSSEC protocol. There are two main reasons for this delay: the complexity of the technology and its cost. According to ICANN, 1398 of the 1532 extensions are signed, with the result that 134 are not (nearly 50% of ccTDs), including the following ones:

TLDCountry or Territory
ALAlbania
.الجزائرAlgeria
AOAngola
BSBahamas
BHBahrain
BDBangladesh
  বাংলাBangladesh
BJBenin
BOBolivia
BABosnia and Herzegovina
BNBrunei
BFBurkina Faso
BIBurundi
KHCambodia
CMCameroon
CVCape Verde
CFCentral African Republic
TDChad
KMComoros
CGCongo
CICote d'Ivoire
CUCuba
CYCyprus
CDDemocratic Republic of the Congo
DJDjibouti
DMDominican Republic
ECEcuador
EGEgypt
SVEl Salvador
GQEquatorial Guinea
EREritrea
FJFiji
GAGabon
GMGambia
GEGeorgia
გეGeorgia
GHGhana
GTGuatemala
GGGuernsey
GYGuyana
HTHaiti
VAHoly See (vatican City State)
IRIran, Islamic Republic of
ایرانIran, Islamic Republic of
IQIraq
عراقIraq
IM Isle of Man
JMJamaica
JEJersey
JOJordan
الاردنJordan
KZKazakhstan
ҚАЗKazakhstan
KWKuwait
LSLesotho
LYLybia
澳門Macao
MOMacao
MKMacedonia
МКДMacedonia
MWMalawi
MVMaldives
MLMali
MTMalta
MHMarshall Islands
MRMauritania
موريتانياMauritania
MUMauritius
MCMonaco
المغربMorocco
MZMozambique
NPNepal
NINicaragua
NENiger
NGNigeria
KPNorth Korea
PKPakistan
PSPalestine, State of
فلسطينPalestine, State of
PAPanama
PGPapua New Guinea
PYParaguay
PHPhilippines
QAQatar
قطرQatar
MDRepublic of Moldova
RWRwanda
SMSan Marino
السعوديةSaudi Arabia
СРБSerbia
RS Serbia
SKSlovakia
SOSomalia
SDSudan
سودانSudan
SRSuriname
SZSwaziland
SYSyrian Arab Republic
سوريةSyrian Arab Republic
TKTajikistan
TGTogo
TRTurkey
УКРUkraine
AEUnited Arab Emirates
اماراتUnited Arab Emirates
UZUzbekistan
VEVenezuela, Bolivarian Republic Of
VIVirgin Islands
YEYemen
ZWZimbabwe

source: ICANN.ORG — http://stats.research.icann.org/dns/tld_report/

It is noted that unsigned extensions are, with the exception of a few, ccTLDs of states with limited resources. The lack of implementation of the DNSSEC technology would therefore mainly result from a lack of financial resources. Nevertheless, programs are in progress, as evidenced by the map of the Internet Society Deploy360 (which is updated periodically):

Source: ISOC Deploy360 — https://www.internetsociety.org/deploy360/dnssec/maps/

However, it should be added that many ISPs use Google’s Public DNS Service (PDNS). Since Google PDNS supports DNSSEC validation, users de facto have access to DNSSEC validation (see ISOC, State of DNSSEC Deployment 2016, Dec. 2016, p. 8). This is particularly the case in some African countries.

Finally, one would not be able to complete this series of statistics without referring to data from the Asia Pacific Network Information Center (APNIC) that takes into consideration “the relative number of Internet users in each country who have been observed performing DNSSEC validation when resolving domain names” (Geoff Huston, “Some Internet Measurements”, labs.apnic.net, 24 Jul. 2014). According to the results obtained by the APNIC, there are less than 20% DNSSEC validations.

Source: APNIC.NET — https://stats.labs.apnic.net/dnssec

There remains the question of incitement. On this point, a study has shown that financial mechanisms, accompanied by technical assistance, can encourage registrars to sign domain names (T. Chung et al., 2017. Understanding the Role of Registrars in DNSSEC Deployment. In Proceedings of IMC ’17, London, United Kingdom, November 1–3, 2017, 14 pages, see para. Summary 6.3). At the global level, financial incentive mechanisms should be implemented at all levels of Internet governance.

About IP Twins

IP Twins is an ICANN-accredited domain name registrar with 15 years of experience in domain name strategy and management. We represent trademark holders in UDRP proceedings.

We deliver security certificates tailored to your needs in order to ensure the safety of visitors to your website.

IP Twins also offers anti-counterfeiting and anti-cybersquatting monitoring services. Detective, our monitoring software, identifies online counterfeits and cybersquatting. We collect evidence and remove references to counterfeits from hundreds of marketplaces, social networks and the web in general.

Should you need to complete these investigations, our team based in China can help.

Do not hesitate to contact us at info@iptwins.com.