Why is DNSSEC important?
The Internet has become a key platform for value-creation in modern society. Online retailers in Norway had a total turnover exceeding NOK 25 billion in 2019 1. Three percent of all Norwegian domain names with a website has shopping basket functionality built in 2 and for many businesses, online sales is the primary sales channel. The Internet is also a primary channel of communication between public agencies and the nation’s inhabitants and businesses, e.g. in connection with tax returns, employer's contributions and access to public services. In all these circumstances, it is extremely important that users actually end up on the website they intended to reach.
Domain names and top-level domains
All devices connected to the Internet have their own unique IP address, which consist of a long sequence of numbers. The Domain Name System links IP addresses to unique domain names.
Examples of domain names many use daily: dagbladet.no, vg.no, google.com and facebook.com.
The last part of the domain name – its “last name” – is the top-level domain the domain name is registered under. There are two different types of top-level domains: country code top-level domains (such as .no or .se) and generic top-level domains (such as .com, .org or .shop).
A website can be accessed in different ways: Clicking a link, via an app, via hits from a search engine, or entering the URL into a browser. All these methods of access entail looking up a domain name. The lookup initiates a search for an IP address used to contact the server operating the service you are requesting access to. Originally, the domain name system was not designed to ensure that the return for a lookup actually came from the right source. This means it is possible for attackers to falsify returns and direct a user to another IP address than the one associated with the domain name. For example, a user may be directed to a website that looks like the online retailer they intended to visit, but instead, the website is located on a server controlled by scammers.
What happens behind the scenes when you look up a domain name?
Each domain name has a set of servers handling queries about addresses under the domain name in question. These servers are called name servers.
- A small application in your device contacts a dedicated server set up to handle queries in the domain name system, a so-called recursive resolver (often operated by your Internet service provider).
- The recursive resolver is tasked with finding the IP address of www.bokogbrus.no. It forwards the query to one of the name servers for the top level of the domain name system (called the root). Root name servers only know the level below them in the hierarchy, and therefore returns a list of name servers for the top-level domain .no.
- The resolver then forwards the query to one of the name servers for .no. These servers also only know the level below them, and therefore return a list of name servers for bokogbrus.no.
- The resolver repeats the query to one of the name servers for bokogbrus.no, which returns the IP address for www.bokogbrus.no.
- The resolver then forwards the IP address to your device. Once your browser is provided with the IP address, it contacts the web server at this address, and downloads the website you requested.
The resolver normally accepts the first response to its query, and does not verify that it comes from the right source.
DNSSEC (DNS Security Extensions) is a security mechanism that offers a solution to this problem. When a domain name is secured by DNSSEC, all returns to domain queries will be signed cryptographically. This makes it possible to verify both that the response comes from the right source, and that it has not been changed along the way.
The signature is created by a private key accessible only to the operator of the domain name. The signature is validated by the device making the query in the domain name system retrieving a public key for the domain. It then pairs the key and signature to validate the answer. Given the hierarchy of the domain name system, a scammer cannot enter false keys in addition to false responses. The public key of a domain is part of an unbroken chain of keys validating each other, all the way to the top level. In order for DNSSEC to work, all levels have to be secured by DNSSEC. A chain is only as strong as its weakest link.
DNSSEC solves the problem of false responses to queries. It is important to be aware, however, that DNSSEC is only a small piece in a large puzzle of security measures needed to keep us safe online. DNSSEC ensures that we reach the address we wanted to reach, not that the contents of the site are safe.
Norway a world leader in securing the domain name system
Norid considers DNSSEC to be a key security component in the domain name system, and believes that the technology should be standard for Norwegian domain names.
This approach to DNSSEC, however, requires sufficiently sophisticated technology so that there is extensive support for it. Norid has chosen to introduce DNSSEC as an infrastructure upgrade. A domain name holder is not supposed either to know about this technology or to order it for her or his domain name to benefit from this security upgrade.
Key DNSSEC milestones
2007: .se is the first top-level domain in the world to allow use of DNSSEC to secure its domain names. Because the top level of the domain name system had not yet been secured, .se had to create a temporary solution to compensate for this.
2010: The top level of the domain name system is secured by DNSSEC.
2014: Support for the technology is available in the most common software for domain name system queries. DNSSEC is implemented for Norwegian domain names.
Despite the need for sophisticated technology and limited room for errors, many domain name provideres quickly came on board. In May 2015, six months after Norid introduced the technology, the Norwegian top-level domain was among the world’s leading top-level domains regarding percentage of secure domains, where it has remained since 3. As of 16 June 2020, 480,151 Norwegian domain names have been signed using DNSSEC, which accounts for 60.7 percent of all Norwegian domain names 4. Three other European country code top-level domains also stand out with a large percentage of secured domain names: Czech Republic (.cz), at 59.6 percent 5, the Netherlands (.nl), at 55.5 percent 6, and Sweden (.se), at 49.4 percent 7.
Norwegian domain names secured with DNSSEC
|Year||Number of secured domains|
Even though .no has a very high percentage of secured domain names overall, the degree of implementation among registrars varies considerably. As of June 2020, 18 of 335 domain name provideres offering Norwegian domain names offer secure domains through DNSSEC 8. Only 23 of these have signed more than 30 percent of their domain name portfolio, and 97.7 percent of all signed domain names belongs to 10 domain provideres 9.
Distribution of signed domain names across domain name providers
|Digital Garden AS||5.41|
|Telenor Norge AS||1.84|
|Domenia Norge AS||0.33|
|ISPHuset Nordic AS||0.27|
|Active Data Norge avd Ssynnes||0.18|
Key domain names still not signed
With more than half of all Norwegian domain names secured with DNSSEC, this technology has become a new standard here. Even so, only three out of ten of the most popular Norwegian domains are signed 10.
The ten most popular Norwegian domain names
DNSSEC is a recommended standard for domain names registered by public administrative agencies in Norway 11. However, we see that public agencies lag behind in securing their domains, although the share of DNSSEC signing for domain names held by public agencies have increased during the last years from 47.3 percent in September 2018 to 52.4 percent in June 2020 12. It is a concern that the governmental domain categories (stat.no and dep.no) and the domain category reserved for the Armed Forces (mil.no) have not implemented the new technology. This means that domain names under one of these domain categories, e.g. nsm.stat.no, cannot choose to secure their site using DNSSEC, because the links above them in the chain are not secured.
At the forefront of validation as well
The large share of DNSSEC secured Norwegian domains means many domain lookups yield signed returns. In order for this to protect the individual user, however, the server retrieving the return for the domain query must check (validate) it, ensuring that returns containing false or inadequate signatures are rejected. This is handled by dedicated servers (recursive resolvers), which are often operated by Internet service providers, hosting providers and service supervisors of internal networks within an organization. In order to fully utilize the potential of DNSSEC, as many as possible of these providers must secure their users by enabling validation.
The degree of validation in Norway has increased considerably since DNSSEC was introduced for Norwegian domain names in 2014. As of 16 June 2020, approx. 83 percent of domain lookups in Norway are validated, which is a high degree on a world-wide basis as well 13.
DNSSEC validation percentages by country
The high degree of validation in Norway can be attributed to the fact that some major providers, such as Telenor Norge, Altibox and Get, whose total customer base is relatively large, have enabled validation. However, there are still some major providers, including GlobalConnect, that have not enabled validation 14.
Correct DNS lookups are an important part of the digital foundation and a prerequisite for the security of IT services. Several threat actors take advantage of the fact that the DNS system was created at a time when communication protocols were characterized by trust alone. The consequence of this can be that users and systems are led to malicious URLs and exposed to cybercrime. DNSSEC is closing this gap by incorporating mechanisms that ensure the validity of DNS lookups with modern encryption and trust services. It is very gratifying that .no is leading the way and is at the very top of the world for the introduction of DNSSEC. The National Communications Authority supports all measures that highlight the importance of signing and validating communication on the Internet.Elise Knutssøn Lindeberg, Department Director, Norwegian Communications Authority
DNSSEC and the future – what is possible with a secure infrastructure?
The immediate effect of DNSSEC is to safeguard users from false responses from the domain name system, but a secure domain name system also serves as a foundation on which we can build a whole new set of security features.
We are accustomed to being able to securely send email, even at airports, in Internet cafés and using guest networks, because our devices exchange data with the email server using a secure, encrypted connection that third parties cannot tap into or change. Similarly, we look for the green padlock symbol and HTTPS before transferring data such as credit card numbers, user names and passwords on websites we visit.
In order for these connections to be secure, our device must authenticate that it is communicating with the right service, and exchange the necessary cryptographic data. The authentication process largely relies on certificates issued by certificate authorities. The problem is that there are very many certificate authorities, and the level of security they offer varies considerably. Meanwhile, there has been a shortage of good mechanisms to inform users of which certificate authority is authorized to issue certificates for a given service, or which certificate or key the service in question uses. Google is among those who have experienced problems with this issue. In some cases, certificates have been issued for some of Google’s domain names that have not been authorized by Google 15. Such unauthorized certificates make it possible for someone to hijack or tap into traffic to the service.
The domain name system offers a possible solution to this problem. The system’s main purpose is to respond with the IP addresses of a service under a given domain, but the system can also provide certain types of additional information, such as which certificate authority is authorized to issue certificates for a given service 16. DNSSEC enables the user’s device to trust this information, instead of having to accept certificates from every certificate authority.
This application is particularly relevant in Norway, seeing as we have already implemented DNSSEC to a relatively large degree, and most social critical services are available online. Public authorities have a large number of online services for communication with the nation’s residents. As of October 2018 33 percent 17 of these websites use HTTPS. The Norwegian National Security Authority recommends that all these should be secured with this technology, using certificates issued by certificate authorities subject to Norwegian law 18. The need for public websites to securely be able to communicate which certificate authorities they use is therefore quite pressing.
Email is another service that has started using information from the domain name system to increase security. Email servers that use certificates to prevent tapping need information about which certificates are in use for a domain name. In addition, the domain name system can be used to pass on which IP addresses are authorized to send email from a given domain name. And then how such email should be controlled, which makes it easier for a recipient to identify and reject email with forged sender address 19.
In the future, the distribution of secure information about services through the domain name system may extend the use of more security functionality for existing as well as for new services.
From theory to practice – some tools to check your DNSSEC status
Check to see if a Norwegian domain name is secured using DNSSEC.
Enter the domain name and see if it has been secured by DNSSEC, or enter an organization number to see the DNSSEC status of all the domain names of the organzation.
Find a domain names provider that can secure your domain names with DNSSEC.
Choose to show only providers that offer DNSSEC.
- 1. Statistics Norway (2020) «Wholesale and retail trade sales statistics» https://www.ssb.no/en/varehandel-og-tjenesteyting/statistikker/vroms
Norid. (figures from March 2020)
Analysis of content under .no domains performed by Dataprovider on behalf of Norid
CENTR. (Figures from 15 June 2020)
Comparison between top-level domains with more than a thousand domain names
- 4. Norid. (Figures from 15 June 2020)
- 5. CZ.NIC. (Figures from 15 June 2020)
- 6. SIDNlabs. (Figures from 15 June 2020)
- 7. The Swedish Internet Foundation. (Figures from 15 June 2020)
- 8. Norid. (Figures from 15 June 2020)
- 9. Norid. (Figures from 9 June 2020)
- 10. Alexa. (Figures from 15 June 2020)
- 11. Norwegian Digitalisation Agency (2015) «Referansekatalogen – grunnleggende datakommunikasjon»
Norid. (Figures from 15 June 2020)
Public agencies are in this case defined as the following types of entities in the Central Coordinating Register for Legal Entities: public corporation, county municipality, municipal business enterprise, central authority, county municipal business enterprise, organizational section, inter-municipal company, municipality, other business enterprise in accordance with special legislation, or Norwegian Church Council.
- 13. Apnic labs. (Figures from 16 June 2020)
- 14. Apnic labs. (Figures from 17 June 2020)
- 15. See examples of such cases here: arstechnica.com, arstechnica.com and security.googleblog.com
- 16. Internet Society (2012) «The DANE Protocol – DNS-Based Authentication of Named Entitiess»
- 17. NRK Beta. (Figures from 16 October 2018)
- 18. Norwegian National Security Authority (2016) «Prosjektrapport – HTTPS for offentlige webtjenester»
- 19. Norwegian National Security Authority (2017) «Grunnleggende tiltak for sikring av e-post»