To navigate the Internet, users typically use domain names in their browser’s address bar. Domain names will be translated to machine-readable IP addresses by the Domain Name System (DNS) and those IP addresses are used to connect to the requested website. The process is similar to using a phone book to look up the telephone number of a person if you know their name. The problem with DNS is, that it was developed a long time ago when the Internet was a friendly place. Unfortunately this isn’t true any more and the DNS is under constant attack by Internet criminals.
DNSSEC is a extension to the DNS that is used to guarantee that answers returned from the DNS are not tempered with on the way from the owner of the domain name to the end user who initiated the DNS query. DNSSEC was developed to prevent Cache Poisoning, a type of attack that could redirect users to the wrong website, like Phishing pages or bogus e-banking websites. Beside that DNSSEC is the fundament for a number of new technologies that help to make the internet a safer place. One example is DANE that allows to encrypt email messages in transit from one email server to another.
DNSSEC needs two components:
- DNSSEC signing: Domain names are digitally signed and the signature is published in the DNS.
- DNSSEC validation: DNS resolvers use the signature to detect forged DNS responses.
DNSSEC and Network-blocking
DNSSEC only has a wide effect if the DNS Resolvers of the Internet Service Providers that are used by a large number of Internet users turn on DNSSEC validation. Network blocking conflicts with the goal to deliver tamper-proof DNS responses. The ISPs DNS resolver has to send a fake response to DNS-queries for domain names on the blocklist. If a domain name is DNSSEC-signed then the new fake answer has no valid signature anymore and a validating resolver on the user side will reject the answer instead of sending the faked IP address to the browser.
In the discussion in the parliament on the new gambling law, the responsible minister Simonetta Sommaruga made the statement that DNSSEC has not yet won recognition. This unfortunately is still true for Switzerland, with apparently less than 1% of all domain names signed. The Czech Republic and the Netherlands. both with around 50% of all .cz and .nl domain names signed, show that a high signing rate is possible. Internationally the use of DNSSEC is on a rise, while Switzerland is far behind.
On the DNSSEC validation side it looks similar. From the “big” access ISPs in Switzerland, only Init7 and Salt are validating DNSSEC responses on their DNS resolvers. Swisscom had turned on validation some time ago, but currently is not validating on their DNS resolvers.
DNSSEC Questions from Baltasar Glättli to the Federal Council
As long as there is no adoption of DNSSEC validation by Swiss access ISPs, signing Swiss domain names with DNSSEC is of little use for the domain owners and hosting providers. This is where government policy-makers can and should take action. After the debate on the gambling law Baltasar Glättli asked the federal council the following questions:
Experts from the EJPD confirmed that DNSSEC has not yet won recognition. DNSSEC is an important instrument against Internet crime like Phishing. DNSSEC (validation) has a deployment of 8% in Switzerland (EU 21%, global 15%).
- Does the federal council recognize the “imperative nature” of the integrity of Internet communication and DNSSEC as an instrument to achieve that goal?
- What measures does the Federal Council take to combat cybercrime?
- What can be done to promote the use (of DNSSEC)?
The disappointing Answer
The answer from Federal Councilor Ueli Maurer is not only disappointing and empty, but also wrong – The Swiss federal government does not itself use DNSSEC on their own domains admin.ch and parlament.ch, in contrast to what Maurer said. Even the gambling industry does better: there are 2784 signed domain names in the .se zone that contain the string “casino”.
Switzerland needs a wider DNSSEC Deployment!
The ISOC Switzerland chapter and the Digitale Gesellschaft ask all Swiss ISPs to turn on DNSSEC validation by default on their DNS resolvers.
The Federal Council can help to promote a secure Swiss Internet by signing all the domain names held by the Swiss Confederation.
The Internet Society has made a variety of resources available on the Deploy360 program website to support the deployment of DNSSEC.