SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

100’000 .ch domain names are secured with DNSSEC!

Leave a comment


Imagine you want to visit your online banking website «www.example-bank.ch». Now, instead of getting the correct IP address your computer gets manipulated information and connects you to a website that is owned by a criminal. You wouldn’t notice but disclose your online banking credentials to the attacker.

Luckily, DNSSEC is here to help. The extension of DNS protects you from being misled and helps you reach exactly the address you typed into your browser. A complex cryptographic process makes sure, that you’re always at the right place.

100’000 .ch domain names are signed with DNSSEC

In late December 2019 the .ch zone achieved a milestone with 100’000 DNSSEC secured domains. DNSSEC adds digital signatures to DNS answers and helps to mitigate attacks on DNS name resolution.

The percentage of .ch domain names that are signed is still below 5%, but is rising thanks to a few registrars like Infomaniak, OVH, Firestorm and netzone that sign domain names for their customers by default. The number of DNSSEC signed .ch domain names rose  54% from 1.1.2019 to 1.1.2020.

By January 1st 2020 the .ch zone contained 100’065 domain names that are secured with DNSSEC

Top .ch domain names are just average regarding domain name security

While the number of DNSSEC signed .ch domain names is rising, it is also important that critical domain names are secured with DNSSEC. Unfortunately the rate of DNSSEC signed .ch domain names in the top 1000 .ch domains is also just at 5%, according to the .ch resilience report by hardenize.

DNSSEC Validation is up to 65%

To protect internet users from being directed to the wrong internet address secured DNSSEC domain names are not enough. Users also need to use a DNS resolver that validates the digital signatures of the DNSSEC signed domain name. Switzerland is one of the countries in Europe that has a high DNSSEC validation rate of around 65% according to APNIC measurements from Geoff Houston.

This shows Switzerland green on the APNIC map for DNSSEC validation in Western Europe

This is mainly because Swisscom, that has roughly a 50% share of all Samples, started DNSSEC validation in August last year. But also Salt and smaller ISPs validate DNSSEC on their DNS resolvers and help to improve the security of the Internet in Switzerland. Here is a list of ASNs in Switzerland with more than 1’000 measurements in the last 30 days.

With a rising number of domain names signed with DNSSEC and a validation rate of more than 65% Switzerland is slowly catching up with Scandinavian countries that have a validation rate of over 80% and more than 50% of all domain names being signed with DNSSEC.

If you own a domain name, think about signing it, or ask your hoster if he can provide DNSSEC signing for you.

You can find more information about DNSSEC on the SWITCH website.

Author: Michael Hausding

Competence Lead DNS & Domain Abuse at SWITCH the ccTLD registry for .ch & .li

What's your opinion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s