/ Dramatic increase in DNSSEC domains

Jul 14

/ nic.at News - 14.07.2019 10:11
Dramatic increase in DNSSEC domains

In the first week of July, .at domains reached the 10,000 mark for DNSSEC-signed domains. Although the security extension DNSSEC has been available for .at domains since 2012, it has enjoyed only moderate popularity – in contrast to other countries. Arsen Stasic, who is jointly responsible for the operation of the .at zone at the Vienna University Computer Center, explains why this is now changing.

„I think there are several reasons why DNSSEC-signed .at domains are now increasing," says Arsen Stasic, who has been monitoring developments from the beginning. In the first few years, an average of 300-400 domains were signed every six months. However, between the end of December 2018 and the end of May 2019, there were more than 1,700 and in the month of June alone around 1,000 domains were secured, ensuring that the 10,000 mark was reached."

Greater security consciousness and awareness in professional circles

Stasic is convinced that there has been a rethink in the industry: "The trend is clearly to encrypt all protocols - think e-mail, https on websites and much more. The domain name system is unsecured and an attacker usually looks for a simple flaw, this is often DNS. "Recently, numerous cases of DNS hijacking have received widespread media attention, and leading security experts have been using DNSSEC and Security -Lock recommended for domains." Although DNSSEC is not encryption of the protocol, it does guarantee the authenticity and completeness of DNS responses with the help of digital signatures, and is therefore an important first step towards security," says Stasic. He lectures in the GovCERT environment on this topic and notes growing interest in the IT sector. Stasic would also like to dispel the myth that DNSSEC is technically complex and difficult to implement: "Even if providers do not want to implement DNSSEC themselves, there are now a number of contractors who can arrange it for them.

Increased attention to security features for domains

Katharina Hackl, manager of nic.at customer service, agrees. She has worked on a project with her team in recent months to persuade registrars and end users of the importance of domain security features, and now sees the initiative to be bearing fruit: "Our R&D team has developed a system - "DNS Magnitude" - to measure the importance of domains. We have contacted holders and registrars of high-level domains and pointed out the possibility of additional domain coverage. "nic.at offers several security features: in addition to DNSSEC signing, Security-Lock is also an effective mechanism to prevent DNS hijacking. "If you want to make your DNS even more fail-safe, you can do so with our Anycast product RcodeZero DNS. DNSSEC is automatically included, so the registrar can outsource everything to us", says Hackl.

Foreign registrars as driver, local registrar ranked number 1

Compared to other countries, where DNSSEC was strongly propagated and promoted right from the start, Austria is still lagging behind with less than 1 percent of DNSSEC-signed domains. This also explains why foreign registrars are responsible for the current growth, says Stasic: "Some Top Level Domains promote DNSSEC extensively, so it’s an advantage that there are four international registrars among the top five DNSSEC registrars for .at. If a registrar has introduced DNSSEC, the service can be easily extended to other TLDs."

Nevertheless, the Linz-based ISP World4You comes first in the domestic DNSSEC ranking, with over 2100 signed domains. The customer is offered DNSSEC as an additional domain backup for free, and it is recommended to make the web site "trustworthy and secure". This argument is usually sufficient for the customers to order DNSSEC, even if they do not know the technical background and functions. The decision to use DNSSEC was a logical step for World4You because the ISP wants to be at the forefront of technical developments - especially when it comes to security issues and additional customer benefits. Implementation in their own domain management software enables support agents to activate DNSSEC quickly and easily for customers with one click, which has made the rapid growth possible.

Next step: Full encryption of the DNS

For some time, the IETF (Internet Engineering Task Force) has been working on the encryption of DNS, and two protocols are currently available: DNS over HTTPS (DoH) and DNS over TLS (DoT). nic.at R & D Director Alexander Mayrhofer is at the forefront of this development and has even standardised a protocol detail that is now being used by Google name servers and Android 9.