DNSSEC stands for DNS Security Extensions and when it is functioning it is an important security protocol to help ensure that the websites you are accessing are the ones you expect them to be. But how does it function and what does it all mean to me, the individual web user?
The Domain Name System, known as the DNS, is critical for the operation of the Internet. The DNS is the yellow pages of the Internet and is mainly used to convert domain names (such as www.cira.ca) to IP addresses (such as 126.96.36.199). DNSSEC is a new feature of the Internet to enhance the integrity of the DNS address resolution and make the Internet a safer place. The Internet Society DNSSEC Deploy360 programme is a great resource for everything DNSSEC.
“DNS Security Extensions,” commonly known as DNSSEC, provide a way to be sure that you are communicating with the correct website or other service. Before you connect to a website, your browser has to retrieve the IP address of the site using DNS. However, it is possible for an attacker to intercept your DNS queries and provide false information that would cause your browser to connect to a fake website where you could potentially provide personal information (for example, what you think is a bank website). DNSSEC provides a level of additional security where the web browser can check to make sure the DNS information is correct and was not modified. Note, too, that DNSSEC is NOT only for the Web, but also can be used by any other Internet service or protocol. We’re already seeing interesting uses of DNSSEC with email (SMTP), instant messaging and voice-over-IP."
First off, don't panic. DNSSEC is an emerging standard that is still being deployed through the Internet's infrastructure. However, because the Internet is a "network of networks" it is essentially the responsibility of each network provider to implement the technology. Worldwide there has been a massive push to support DNSSEC. Registries, Registrars, DNS hosting providers and ISPs have all started to both sign and validate DNSSEC signed domains.
What does the CIRA Internet Performance Test tell me about DNSSEC?
The CIRA Internet Performance Test is designed to connect and retrieve data from two DNSSEC protected websites where one site is configured correctly and the other is not. If the test is able to retrieve data from the incorrectly configured website then that means you are not protected with DNSSEC benefits. Your computer, your home network and Internet Service Provider (ISP) connection all must support the newest DNS features to enable DNSSEC validation in order to pass the test.
The following two URLs point to the same IP address, but only one of them provides an authentic valid DNSSEC response.
- Valid DNSSEC signature to prove authenticity of web site. You should see a page with "ok".
- Invalid DNSSEC signature. If DNSSEC is enabled, you should not be able to connect to this website and not see the "ok" page.
Failed test, Your DNS is not protected with DNSSEC, an attacker could make you connect the incorrect web site.
What can I do?
Globally, there are over 35 countries with high penetration of DNSSEC (defined here as over 30% of servers capable of validating). This includes OECD countries that are traditionally thought of as similar to Canada, like Sweden (67%) and Finland (41%). However, you may be surprised to learn that our closest neighbor, the United States has 23% of servers capable of validation due to Comcast's leadership in this space. The point is, at the date of publication of this article, a paltry 12% of Canada's Internet is DNSSEC-ready.
Can you be part of the future? You bet, there are several ISPs that are leaders in this space and you can use this handy tool to see DNSSEC penetration by country and by ASN number (i.e. the network operator ID). You can also contact your ISP and request that they get onboard with DNSSEC to help build demand within Canada.