DNSSEC
The Domain Name System Security Extensions (DNSSEC) is a suite of specifications for securing certain kinds of information provided by the Domain Name System (DNS) used in IP networks.
It does not solve every security problem related to DNS but it will protect users from cache poisoning and other malicious DNS attacks. See DNSSEC FAQs for more info. And implementing DNSSEC is also a great excuse to finally clean up your DNS zones …
As such, if you have a domain used for a website that is important to your constituency you should implement DNSSEC.
DNSSEC in Europe
I wanted to get an overview of the DNSSEC situation in Europe. Instead of verifying the DNS records by hand (see for example the Debian Wiki) I used an online resource to do this.
I primarily used DNSViz, a tool for visualizing the status of a DNS zone. You can double check the results with another online tool (from Verisign) dnssec-debugger.
Data sources
I started with the list of European Countries and used the sites listed under Government to get the list of the “Official” government website for the different countries.
Besides getting the results for the official government websites I also included the results for the top level domain for that country. This was easy because DNSViz by default shows the entire chain, including the TLD. Note that in most cases the organization running the TLD is not the same as the organization running the official websites for their governments.
I based my results on the Status flag returned by DNSViz. A status of SECURE meant “supporting DNSSEC”, a status of INSECURE meant “not supporting DNSSEC”. I disregarded some of the DNSSEC errors that where shown by DNSViz.
DNSSEC results
The results of the different queries can be found in the table below
| Country | Government Domain | TLD |
|---|---|---|
| Austria | gv.at | .at |
| Belgium | belgium.be | .be |
| Bulgaria | government.bg | .bg |
| Croatia | vlada.hr | .hr |
| Cyprus | gov.cy | .cy |
| Czech Republic | vlada.cz | .cz |
| Denmark | denmark.dk | .dk |
| Estonia | valitsus.ee | .ee |
| Finland | valtioneuvosto.fi | .fi |
| France | gouvernement.fr | .fr |
| Germany | bundesregierung.de | .de |
| Greece | gov.gr | .gr |
| Hungary | magyarorszag.hu | .hu |
| Ireland | gov.ie | .ie |
| Italy | governo.it | .it |
| Latvia | gov.lv | .lv |
| Lithuania | lrv.lt | .lt |
| Luxembourg | gouvernement.lu | .lu |
| Malta | gov.mt | .mt |
| Netherlands | government.nl | .nl |
| Poland | polska.pl | .pl |
| Portugal | gov.pt | .pt |
| Romania | gov.ro | .ro |
| Slovakia | gov.sk | .sk |
| Slovenia | gov.si | .si |
| Spain | gob.es | .es |
| Sweden | government.se | .se |
| United Kingdom | gov.uk | .uk |
DNSSEC Findings
In summary this means that out of the 28 EU countries tested, only 7 countries had DNSSEC support for the domain for their government websites and 23 EU TLDs had DNSSEC support.
This means that only 25% of the domains used for the European government websites support DNSSEC. In contrast, more than 82% of the European TLDs already support DNSSEC.
The TLDs of
- Cyprus
- Italy
- Malta
- Romania
- Slovakia
fail to support DNSSEC.
As of this moment only the government websites of
- Czech Republic
- Estonia
- Greece
- Netherlands
- Spain
- Sweden
- United Kingdom
support DNSSEC.
Conclusion
Although DNSSEC is not straightforward to implement it is rather astonishing to see that only 25% of the government websites support DNSSEC for their domain. Furthermore it is remarkable to see the discrepancy between the number of TLDs already supporting DNSSEC and the lack of implementation of DNSSEC with the (local) government domains.
ENISA has published -in 2010- a Good practices guide for deploying DNSSEC. The European government websites should address the security shortcomings of DNS by implementing this advice.
Belgian banks
I was also interested in the results of some of the Belgian banks. Unfortunately none of the Belgian banks support DNSSEC.
| Bank | Site |
|---|---|
| Argenta | argenta.be |
| KBC | kbc.be |
| Belfius | belfius.be |
| BNP Paribas | bnpparibas.com |
| ING | ING |
You may be interested in: https://www.phishingscorecard.com/
Or in the huge DNSSEC inventory DNSSEC.nl did last year, basically publishing similar conclusions about domains of government organizations and financials:
http://www.dnssec.nl/cases/dnssec-inventarisatie-grote-verschillen-tussen-sectoren-1.html