DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a suite of specifications for securing certain kinds of information provided by the Domain Name System (DNS) used in IP networks.

It does not solve every security problem related to DNS but it will protect users from cache poisoning and other malicious DNS attacks. See DNSSEC FAQs for more info. And implementing DNSSEC is also a great excuse to finally clean up your DNS zones …

As such, if you have a domain used for a website that is important to your constituency you should implement DNSSEC.

DNSSEC in Europe

I wanted to get an overview of the DNSSEC situation in Europe. Instead of verifying the DNS records by hand (see for example the Debian Wiki) I used an online resource to do this.

I primarily used DNSViz, a tool for visualizing the status of a DNS zone. You can double check the results with another online tool (from Verisign) dnssec-debugger.

Data sources

I started with the list of European Countries and used the sites listed under Government to get the list of the “Official” government website for the different countries.

Besides getting the results for the official government websites I also included the results for the top level domain for that country. This was easy because DNSViz by default shows the entire chain, including the TLD. Note that in most cases the organization running the TLD is not the same as the organization running the official websites for their governments.

I based my results on the Status flag returned by DNSViz. A status of SECURE meant “supporting DNSSEC”, a status of INSECURE meant “not supporting DNSSEC”. I disregarded some of the DNSSEC errors that where shown by DNSViz.

DNSSEC results

The results of the different queries can be found in the table below

Country Government Domain TLD Austria gv.at .at Belgium belgium.be .be Bulgaria government.bg .bg Croatia vlada.hr .hr Cyprus gov.cy .cy Czech Republic vlada.cz .cz Denmark denmark.dk .dk Estonia valitsus.ee .ee Finland valtioneuvosto.fi .fi France gouvernement.fr .fr Germany bundesregierung.de .de Greece gov.gr .gr Hungary magyarorszag.hu .hu Ireland gov.ie .ie Italy governo.it .it Latvia gov.lv .lv Lithuania lrv.lt .lt Luxembourg gouvernement.lu .lu Malta gov.mt .mt Netherlands government.nl .nl Poland polska.pl .pl Portugal gov.pt .pt Romania gov.ro .ro Slovakia gov.sk .sk Slovenia gov.si .si Spain gob.es .es Sweden government.se .se United Kingdom gov.uk .uk

DNSSEC Findings

In summary this means that out of the 28 EU countries tested, only 7 countries had DNSSEC support for the domain for their government websites and 23 EU TLDs had DNSSEC support.

This means that only 25% of the domains used for the European government websites support DNSSEC. In contrast, more than 82% of the European TLDs already support DNSSEC.

The TLDs of

Cyprus

Italy

Malta

Romania

Slovakia

fail to support DNSSEC.

As of this moment only the government websites of

Czech Republic

Estonia

Greece

Netherlands

Spain

Sweden

United Kingdom

support DNSSEC.

Conclusion

Although DNSSEC is not straightforward to implement it is rather astonishing to see that only 25% of the government websites support DNSSEC for their domain. Furthermore it is remarkable to see the discrepancy between the number of TLDs already supporting DNSSEC and the lack of implementation of DNSSEC with the (local) government domains.

ENISA has published -in 2010- a Good practices guide for deploying DNSSEC. The European government websites should address the security shortcomings of DNS by implementing this advice.

Belgian banks

I was also interested in the results of some of the Belgian banks. Unfortunately none of the Belgian banks support DNSSEC.