The deployment of the DNSSEC protocol
Originally, the DNS ignored insidious security issues that might arise. This results in vulnerabilities, intrinsic to the DNS, which favor attacks of different types. It is legitimate to fear, in particular, the following types of attacks:
- “Man in the Middle”;
- cache poisoning; or
- Distributed Denial of Service (DDoS).
As a result, domain name holders may experience traffic diversions, fraudulent domain name hijacking, or phishing. As for Internet users, they are also exposed to criminal interference because they run the risk of being redirected to fraudulent sites, often built to steal their data (passwords, e-mail addresses, bank identifiers, etc.). ), for example by distributing malware.
The current threat is such that, on February 15, 2019, the Internet Corporation for Assigned Names and Numbers (ICANN) urged all stakeholders (registries, registrars and others) to be extremely vigilant. ICANN is the sprawling international institution whose mission is to maintain the security, stability, and interoperability of the Internet. In other words, ICANN is the governing body of the DNS. At the top of the list of urgent security precautions, ICANN is urging registries and registrars to fully deploy the Domain Name System Security Extensions (DNSSEC) technology. As for the most concerned stakeholders, domain name owners, they are strongly advised to migrate to registrars of domain names that offer the DNSSEC protocol. For ICANN, these measures must be taken immediately.
The DNSSEC protocol, which has been standardized by the Internet Engineering Task Force (IETF), makes it possible to overcome, to a large extent but not 100%, the vulnerabilities of the DNS. The DNSSEC technology consists of a validation process (called “DNSSEC Signed”) at the root level (managed by ICANN), the top-level domain or TLD (managed by the registry) and the domain name (managed by the registrar). In the end, this process generates an authentication chain. The resulting chain of trust greatly improves data security and, correspondingly, significantly reduces the risk of malicious acts. A registry or registrar is said to be signed when it has been enhanced with the DNSSEC technology. Large-scale adoption of the DNSSEC protocol can significantly improve the robustness of the DNS.
However, the deployment of DNSSEC remains relatively low, despite the considerable and ongoing efforts of the ICANN Security and Stability Advisory Committee (SSAC), the Registry Internet Safety Group (RISG), the Computer Emergency Response Teams (CERTs) and the Internet Society Deploy360, as many bodies that promote it, including through awareness campaigns and training.
At the level of second level domains (SLD), everyone agrees that it is very difficult to obtain statistics that reliably establish the percentage of domain names signed with the DNSSEC protocol (see ISOC, State of DNSSEC Deployment 2016, Dec. 2016, p. 17). It must be remembered that not all registrars offer DNSSEC. To date, the SSAC recommends not to disclose the names of registrars that do not provide DNSSEC on a systematic basis. However, the SSAC does not exclude this possibility for the future:
“We do not, at this time, recommending registrars’ names be published or not” (ICANN, Advisory on the ICANN Security and Stability Advisory Committee, SAC074, Nov. 3, 2015, Recommendation 1, p. 4).
In a key study published in 2017, a group of researchers led by Taejoong Chung came to the conclusion that “DNSSEC support [is] quite low among the most popular registrars” (T. Chung et al., 2017. Understanding the Role of Registrars in DNSSEC Deployment. In Proceedings of IMC ’17, London, United Kingdom, November 1–3, 2017, 14 pages, see para. Summary 5.3).
At IP Twins, security is our main concern.
To date, the 2013 Registrar Accreditation Agreement (“2013 RAA”) does not require registrars to systematically offer the DNSSEC protocol. At the very least, Article 3.20 requires registrars to notify ICANN of any security incidents. However, according to the annex entitled “Additional Registrar Operation Specification”, a Registrar must authorize its customers to use DNSSEC upon request.
At the TLD level, since 2012, ICANN has required all gTLD registries to incorporate the DNSSEC protocol. This requirement does not apply to gTLDs created prior to 2012, but apart from .AERO, there is no gTLD that is not secured by DNSSEC. In fact, it is the ccTLDs that are causing concern. Indeed, there are many ccTLDs registries that have not yet adopted the DNSSEC protocol. There are two main reasons for this delay: the complexity of the technology and its cost. According to ICANN, 1398 of the 1532 extensions are signed, with the result that 134 are not (nearly 50% of ccTDs), including the following ones:
TLD Country or Territory
AL Albania
.الجزائر Algeria
AO Angola
BS Bahamas
BH Bahrain
BD Bangladesh
বাংলা Bangladesh
BJ Benin
BO Bolivia
BA Bosnia and Herzegovina
BN Brunei
BF Burkina Faso
BI Burundi
KH Cambodia
CM Cameroon
CV Cape Verde
CF Central African Republic
TD Chad
KM Comoros
CG Congo
CI Cote d'Ivoire
CU Cuba
CY Cyprus
CD Democratic Republic of the Congo
DJ Djibouti
DM Dominican Republic
EC Ecuador
EG Egypt
SV El Salvador
GQ Equatorial Guinea
ER Eritrea
FJ Fiji
GA Gabon
GM Gambia
GE Georgia
გე Georgia
GH Ghana
GT Guatemala
GG Guernsey
GY Guyana
HT Haiti
VA Holy See (vatican City State)
IR Iran, Islamic Republic of
ایران Iran, Islamic Republic of
IQ Iraq
عراق Iraq
IM Isle of Man
JM Jamaica
JE Jersey
JO Jordan
الاردن Jordan
KZ Kazakhstan
ҚАЗ Kazakhstan
KW Kuwait
LS Lesotho
LY Lybia
澳門 Macao
MO Macao
MK Macedonia
МКД Macedonia
MW Malawi
MV Maldives
ML Mali
MT Malta
MH Marshall Islands
MR Mauritania
موريتانيا Mauritania
MU Mauritius
MC Monaco
المغرب Morocco
MZ Mozambique
NP Nepal
NI Nicaragua
NE Niger
NG Nigeria
KP North Korea
PK Pakistan
PS Palestine, State of
فلسطين Palestine, State of
PA Panama
PG Papua New Guinea
PY Paraguay
PH Philippines
QA Qatar
قطر Qatar
MD Republic of Moldova
RW Rwanda
SM San Marino
السعودية Saudi Arabia
СРБ Serbia
RS Serbia
SK Slovakia
SO Somalia
SD Sudan
سودان Sudan
SR Suriname
SZ Swaziland
SY Syrian Arab Republic
سورية Syrian Arab Republic
TK Tajikistan
TG Togo
TR Turkey
УКР Ukraine
AE United Arab Emirates
امارات United Arab Emirates
UZ Uzbekistan
VE Venezuela, Bolivarian Republic Of
VI Virgin Islands
YE Yemen
ZW Zimbabwe
source: ICANN.ORG — http://stats.research.icann.org/dns/tld_report/
It is noted that unsigned extensions are, with the exception of a few, ccTLDs of states with limited resources. The lack of implementation of the DNSSEC technology would therefore mainly result from a lack of financial resources. Nevertheless, programs are in progress, as evidenced by the map of the Internet Society Deploy360 (which is updated periodically):
Source: ISOC Deploy360 — https://www.internetsociety.org/deploy360/dnssec/maps/
However, it should be added that many ISPs use Google’s Public DNS Service (PDNS). Since Google PDNS supports DNSSEC validation, users de facto have access to DNSSEC validation (see ISOC, State of DNSSEC Deployment 2016, Dec. 2016, p. 8). This is particularly the case in some African countries.
Finally, one would not be able to complete this series of statistics without referring to data from the Asia Pacific Network Information Center (APNIC) that takes into consideration “the relative number of Internet users in each country who have been observed performing DNSSEC validation when resolving domain names” (Geoff Huston, “Some Internet Measurements”, labs.apnic.net, 24 Jul. 2014). According to the results obtained by the APNIC, there are less than 20% DNSSEC validations.
Source: APNIC.NET — https://stats.labs.apnic.net/dnssec
There remains the question of incitement. On this point, a study has shown that financial mechanisms, accompanied by technical assistance, can encourage registrars to sign domain names (T. Chung et al., 2017. Understanding the Role of Registrars in DNSSEC Deployment. In Proceedings of IMC ’17, London, United Kingdom, November 1–3, 2017, 14 pages, see para. Summary 6.3). At the global level, financial incentive mechanisms should be implemented at all levels of Internet governance.