Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support)
Published on September 17, 2020 09:03 +0200 by GovCERT.ch (permalink)
Last updated on September 17, 2020 09:03 +0200
Since the introduction of the Domain Name System (DNS) in 1987 (RFC1034 / RFC1035), more than 30 years have passed. The internet became as crucial as food and power supply. Back in 1987, the inventors and engineers of DNS probably never thought that the internet would become such a big and crucial thing for the 21th century. As a result, DNS comes with a handful of weaknesses that can be exploited by threat actors for malicious purposes. In the past years, the community reacted on those threats with several enhancements to the protocol to strengthen the DNS eco system and make it more resilient against such attacks. One of those techniques are the “Domain Name System Security Extensions” (DNSSEC) that guarantees the authenticity and integrity of the DNS.
In 2015, GovCERT.ch launched a survey on the Swiss Top-Level-Domain (TLD) .ch that has shown that only 0.30% are using DNSSEC. In the meantime, 5 years have passed which is why we decided to launch another survey on the Swiss Top-Level-Domain (TLD) .ch. The question we want to answer is: What’s the adoption rate of security mechanisms that rely on DNS within ccTLD .ch? In our analysis, we have not only checked the adoption rate of DNSSEC for ccTLD .ch domains but also other security extensions that can be implemented on the DNS level:
In a nutshell: SPF allows receiving mailservers to check if the sending mailserver is allowed to send email on behalf of a certain domain. DMARC is a combination of SPF, DKIM (Domain Keys identified Mail) and a policy on how to proceed with failures. CAA allows an organization to publish the information which Certificate Authorities (CAs) are authorized to issue certificates for the domain(s) of their organization.
To conduct our survey, we have obtained a copy of the ccTLD .ch zone from SWITCH who is the domain registry for .ch. The data contains all active delegations .ch (note: the dataset does not contain any information about domain owners. It only contains technical information required by the DNS to ensure that the domain name resolves), e.g. the authoritative name servers.
As of 15th August 2020, more than 2’330’00 domain names have been registered. When conducting our survey, 2’313’465 where present in the zone.
The following table shows the raw number of tested domains including the number of domain names that have a specific security feature enabled.
Having a look at these numbers, we can make the following conclusions:
We conclude that the implementation of security mechanisms in the DNS has still a rather low adoption rate, which increases the attack surface of domain names that are not using such technologies. There might be various reasons for this:
NCSC/GovCERT.ch believes that a broader adoption of the security mechanisms mentioned above will strengthen the resilience of .ch domains against cyber threats and manipulation. We therefore make the following recommendations:
Back to top