Norwegian domain names more secure with DNSSEC

Why is DNSSEC important?

The Internet has become a key platform for value-creation in modern society. The Internet is also a primary channel of communication between public agencies and the nation’s inhabitants and businesses, e.g. in connection with tax returns, employer's contributions and access to public services. In all these circumstances, it is extremely important that users actually end up on the website they intended to reach.

A website can be accessed in different ways: Clicking a link, via an app, via hits from a search engine, or entering the URL into a browser. All these methods of access entail looking up a domain name. The lookup initiates a search for an IP address used to contact the server operating the service you are requesting access to. Originally, the domain name system was not designed to ensure that the return for a lookup actually came from the right source. This means it is possible for attackers to falsify returns and direct a user to another IP address than the one associated with the domain name. For example, a user may be directed to a website that looks like the online retailer they intended to visit, but instead, the website is located on a server controlled by scammers.

DNSSEC (DNS Security Extensions) is a security mechanism that offers a solution to this problem. When a domain name is secured by DNSSEC, all returns to domain queries will be signed cryptographically. This makes it possible to verify both that the response comes from the right source, and that it has not been changed along the way.

The signature is created by a private key accessible only to the operator of the domain name. The signature is validated by the device making the query in the domain name system retrieving a public key for the domain. It then pairs the key and signature to validate the answer. Given the hierarchy of the domain name system, a scammer cannot enter false keys in addition to false responses. The public key of a domain is part of an unbroken chain of keys validating each other, all the way to the top level. In order for DNSSEC to work, all levels have to be secured by DNSSEC. A chain is only as strong as its weakest link.

DNSSEC solves the problem of false responses to queries. It is important to be aware, however, that DNSSEC is only a small piece in a large puzzle of security measures needed to keep us safe online. DNSSEC ensures that we reach the address we wanted to reach, not that the contents of the site are safe.

Norway a world leader in securing the domain name system

Norid considers DNSSEC to be a key security component in the domain name system, and believes that the technology should be standard for Norwegian domain names. This approach to DNSSEC, however, requires sufficiently sophisticated technology so that there is extensive support for it. Norid has chosen to introduce DNSSEC as an infrastructure upgrade. A domain name holder is not supposed either to know about this technology or to order it for her or his domain name to benefit from this security upgrade.

Despite the need for sophisticated technology and limited room for errors, many registrars quickly came on board. In May 2015, six months after Norid introduced the technology, the Norwegian top-level domain was among the world’s leading top-level domains regarding percentage of secure domains, where it has remained since 1.

Key domain names still not signed

With more than half of all Norwegian domain names secured with DNSSEC, this technology has become a new standard here. Still, some of the most trafficked domain names are still not signed.

DNSSEC is a recommended standard for domain names registered by public administrative agencies in Norway 2. However, the public sector is lagging behind, with a somewhat lower degree of signing compared to the degree of signing for all Norwegian domain names. The gap has decreased in recent years, but public domain names are still not secured to the same extent as the rest of the domain names in society.

Large variance in the degree of signing among registrars

The share of registrars of Norwegian domain names that offers DNSSEC has increased over the last years.

However, there are large differences in the degree of signing among the registrars. The majority of registrars have only signed a few percent of the domain names they manage, or do not offer such security of the customer's domain name. At the same time, there are some large registrars who offer the technology as part of their standard delivery, and who in sum ensure that more than half of all Norwegian domain names are signed.

At the forefront of validation as well

The large share of DNSSEC secured Norwegian domains means many domain lookups yield signed returns. In order for this to protect the individual user, however, the server retrieving the return for the domain query must check (validate) it, ensuring that returns containing false or inadequate signatures are rejected. This is handled by dedicated servers (recursive resolvers), which are often operated by Internet service providers, hosting providers and service supervisors of internal networks within an organization. In order to fully utilize the potential of DNSSEC, as many as possible of these providers must secure their users by enabling validation.

The high degree of validation in Norway can be attributed to the fact that some major providers, such as Telenor Norge, Altibox and Get, whose total customer base is relatively large, have enabled validation. However, there are still some major providers, including GlobalConnect, that have not enabled validation 3.

DNSSEC and the future – what is possible with a secure infrastructure?

The immediate effect of DNSSEC is to safeguard users from false responses from the domain name system, but a secure domain name system also serves as a foundation on which we can build a whole new set of security features.

We are accustomed to being able to securely send email, even at airports, in Internet cafés and using guest networks, because our devices exchange data with the email server using a secure, encrypted connection that third parties cannot tap into or change. Similarly, we look for the green padlock symbol and HTTPS before transferring data such as credit card numbers, user names and passwords on websites we visit.

In order for these connections to be secure, our device must authenticate that it is communicating with the right service, and exchange the necessary cryptographic data. The authentication process largely relies on certificates issued by certificate authorities. The problem is that there are very many certificate authorities, and the level of security they offer varies considerably. Meanwhile, there has been a shortage of good mechanisms to inform users of which certificate authority is authorized to issue certificates for a given service, or which certificate or key the service in question uses. Google is among those who have experienced problems with this issue. In some cases, certificates have been issued for some of Google’s domain names that have not been authorized by Google 4. Such unauthorized certificates make it possible for someone to hijack or tap into traffic to the service.

The domain name system offers a possible solution to this problem. The system’s main purpose is to respond with the IP addresses of a service under a given domain, but the system can also provide certain types of additional information, such as which certificate authority is authorized to issue certificates for a given service 5. DNSSEC enables the user’s device to trust this information, instead of having to accept certificates from every certificate authority.

This application is particularly relevant in Norway, seeing as we have already implemented DNSSEC to a relatively large degree, and most social critical services are available online. Public authorities have a large number of online services for communication with the nation’s residents. The Norwegian National Security Authority recommends that all these should be secured with this technology, using certificates issued by certificate authorities subject to Norwegian law 6. The need for public websites to securely be able to communicate which certificate authorities they use is therefore quite pressing.

Email is another service that has started using information from the domain name system to increase security. Email servers that use certificates to prevent tapping need information about which certificates are in use for a domain name. In addition, the domain name system can be used to pass on which IP addresses are authorized to send email from a given domain name. And then how such email should be controlled, which makes it easier for a recipient to identify and reject email with forged sender address 7.

In the future, the distribution of secure information about services through the domain name system may extend the use of more security functionality for existing as well as for new services.