SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

DNSSEC Deployment in .CH


It has now been three years since SWITCH officially signed the .CH and .LI ccTLDs. Since then adoption of DNSSEC for the .CH domains has been very slow. During the last few weeks we have seen a small increase, but noticeable, including one registrar (OVH.de); who have started to sign a few hundert domain names. It may be the start to something bigger; however we trail other TLDs in the number of singed delegations (See https://xs.powerdns.com/dnssec-nl-graph/) by a large margin

Currently, SWITCH does not publish statistics about DNSSEC, as only 0.05% of all active domains use DNSSEC. Therefore publishing any DNSSEC statistics remain unjustified.

In this blog article we want to give you a look at the numbers nonetheless. Please keep in mind that: because the number of DNSSEC enabled domains is so low, the interpretation of the data and graphs should not be taken too seriously, the numbers can change very quickly.

Number of signed delegations
On the 13th of February 2013, 1’441’170 “ch.” domains were active. Active means the domain names are being used and have a delegation and are therefore in the ch-zone file. Only 770 of these delegations are signed (0.05%) and almost 75% of them are operated by only six organizations. You could say that, the number of big DNSSEC supporters for .CH is only six!

DNS Security-Algorithm
When you sign a domain you choose a DNS Security-Algorithm (See DNSSEC Algorithm Numbers). The majority of the signed domains use RSA/SHA1 or RSASHA1-NSEC3-SHA1. The newer algorithms such as RSA/SHA-256 or RSA/SHA-512 are less common. One of the reasons the old algorithms are more commonly used is the fact that four out of the six big DNSSEC supporters sign with them. SWITCH advises the usage of the newer algorithms and has done an algorithm rollover lately for the LI and CH zones (See Blog post Algorithm Rollover). Other algorithms such as ECC-GOST are not supported by the SWITCH’s domain registration web application (www.nic.ch). However, registrars typically use EPP (Extensible Provisioning Protocol) to manage their domains and submit the DS Record (Delegation Signer Resource Record) directly and so could use other algorithms such as ECC-GOST.

DNSKEY Algorithm distribution among signed CH-domains

DNSKEY Algorithm distribution among signed CH-domains

Authenticated Denial of Existence
In order to sign negative answers, DNSSEC uses authenticated denial of existence which signs that there is nothing between label A and label B. The record that is signed is called NSEC (Next Secure Record). Unfortunately, NSEC makes it trivial to enumerate a zone. Public DNS zone data should only contain public data anyway, therefore muting this problem. In practice this is not always the case, and so most operators have the policy of restricting zone enumeration (for this and other reasons). NSEC3 uses hashed authenticated denial of existence records. A complicated protocol, which basically hashes the label A and label B before creating the NSEC3 record, thus making the zone more difficult to enumerate.

Most signed CH-domains use NSEC3

Most signed CH-domains use NSEC3

An attacker who tries to enumerate a NSEC signed zones needs only to send one request per record in the zone. With NSEC3 this remains true, but they must also do some computing to make the right guesses. In the end the attacker will end up with a list of hashes that they can try to crack offline with a brute-force or dictionary attack. I have tested this with our own NSEC3 signed second level domains and can assure you that it usually takes less then 30 minutes to get all the hashed zone records. So, NSEC3 does not prevent zone enumeration it only makes it a little harder. As can be seen in the “NSEC vs. NSEC3” graph, most zone operators choose to make it a little harder for the attacker.

There is more
There are many other interesting statistics you can make out of DNSSEC signed domains. For example, the average number of days a signature is valid or whether some DNSKEYs are used to sign more then one zone. .SE provides a yearly Health Status Report of DNS and DNSSEC which contains some other interesting statistics. If you have a specific question or a statistic you would like to see, please comment.

Comments are closed.