You are here: Home > Publications > RIPE Labs > Rene Bakker > Bang for the Buck: the Adoption of DNSSEC and Return on Investment

Bang for the Buck: the Adoption of DNSSEC and Return on Investment

Rene Bakker — 03 Apr 2018
The current perspective on cyber security is still dominated by the technical nature of many security issues. Within the technical community there is consensus about the necessity of providing a secure DNS, guaranteeing integrity and authentication of the presented domain name. Although there are challenges, there is progress.

Open source software has been developed, that enables registrars and access providers to adopt DNSSEC against reasonable costs. Problems with availability due to bogus domain names have diminished the last years.

Although there are positive results (49% of .nl domain names are DNSSEC signed), there are also other statistics that cause concern. Recent research from SIDN (the .nl registry) points out that there are large differences between sectors when it comes to adopting DNSSEC. Within the (semi-) public sector most of the domain names are signed, while the banking sector has almost completely ignored the solution. In addition to this, currently only one out of five Dutch access providers supports DNSSEC. Since security is intransitive, one missing part in the chain will diminish the advantages of DNSSEC.

There are obviously other factors than the properties of DNSSEC that explain the observed differences. In this article I will shortly discuss some economical aspects of DNSSEC adoption, that play an important role in the adoption of DNSSEC. To do this the adoption level of several actors will be explained by analysing costs and benefits. Concepts retrieved from microeconomics like market failures and misaligned incentives will be used to understand behaviour of actors that all together provide Internet services to their end-user.

Market failures and registrars

Domain registrars play an important role in deploying DNSSEC. They provide a secured domain name to their customers, the registrants. The market for domain names can be considered a commodity market. The registration of domain names is a low margin business, usually complementary to conventional ISP services like webhosting and e-mail. There are about 1,350 registrars in the Netherlands, that register available domain names. Many registrars advertise with the price. Some registrars position themselves as safe and secure, usually with a small market share.

Only a minority of the registrars offers DNSSEC signed domains. Approximately one out of ten registrars present DNSSEC as a default. For a registrant, the challenge is to choose a good name that is available. Security reasons hardly play a role in choosing a registrar. It is not easy to tell for a registrant whether a registrar offers DNSSEC. In many cases price is the most important criterion. Large companies like KPN and GoDaddy offer domain names for a sharp price, but DNSSEC is an option that comes with considerable costs (and is cumbersome to activate).

 Registrar  DNSSEC  Costs on a yearly basis1
 On average No  EUR 4.00
 KPN  No2  EUR 3.96
 GoDaddy  No3  EUR 3.99
 Trans IP Yes  EUR 7.49
 Bit Yes  EUR 15.00 - 20.00
 ISP Yes  EUR 24.00
 XS4all Yes  EUR 30.00

Costs for registration of a domain name under .nl

Footnotes

1. Retrieved from prices as presented on the following websites: KPN, GoDaddy, TransIP, XS4all and interviews with BIT and ISP from 23 October 2017. Temporary price cuts are left out. 2. Optional use of DNSSEC costs an additional EUR 20 per year.  3. GoDaddy offers a ‘premium package’ that does include DNSSEC, it costs EUR 35 per year.

 

Cost differences between a regular and a signed domain are considerable. The largest registrars do not offer DNSSEC (as default), and sell domain names for a low price. It is very likely that this is caused by unawareness of registrants for advantages of DNSSEC signed domain names. Only with tools like Internet.nl or browser extensions as exist for Firefox or Chrome, it is possible to see if DNSSEC is used. Since the registrant is unaware, there is a pressure to lower the price. As a result, the ‘bad’ products (no DNSSEC) will drive out the ‘good’ (DNSSEC signed).

But even if the registrant is aware of the advantages, there are also other considerations that cause registrants not to adopt DNSSEC. It is the registrant that pays a higher price for a signed domain name, but the registrant does not profit from it. The price for a secured domain is much higher, and it is not the registrant, but the end-user who profits from it. Since liability is difficult to address, there is not much incentive to provide a secure domain name.

So, it is no surprise that registrars that do offer DNSSEC indicate that a minority of the registrants asks for DNSSEC. Those who do are often (semi-) public institutions. Some ISPs that offer DNSSEC are small innovative businesses, that are positioned in the high-end market. Their core business is to build platforms, and domain names are a prerequisite to do so. Since the costs for a domain name can be neglected when a platform is built, the somewhat higher costs (EUR 15-20 on a yearly basis) for a DNSSEC domain name are not a problem.

Incidents are hard to relate to DNS abuse

About a decade ago Kaminsky proved that vulnerabilities of the DNS can be exploited. If the DNS is corrupt (for instance by ‘cache poisoning’), the end-user can be directed to a malicious website. This can be risky when sensitive (personal) information is exchanged, or a financial transaction is done. Mail security is also tied to (the security of) the DNS. A network attacker can spoof the DNS records of a mail server, to redirect mail connections to a malicious server.

One could state that the strongest incentive for adopting DNSSEC from a security perspective is safer e-mail. E-mail by itself is not protected against eavesdropping, forgery or manipulation. For an average user, it is very hard to establish the authenticity of the sender. Also, phishing mails are getting better, and it is becoming difficult to establish the difference between an original message and phishing mail. DNSSEC in combination with STARTTLS makes it possible to guide e-mail (SMTP) by using a secure connection. This could help to reduce phishing, still by far the most important trigger for cyber security incidents.

There are also several other ways for phishing, without abusing the DNS. It can be done for instance by URL-spoofing. The URL of a bank can be mimicked, so the end-user thinks the real website is visited, while this is a fake one. Phishing can be done by using other characters in domain names, that look like the real URL. Compromised domains can be masked with URL shorteners, so the visitor cannot determine the real web address that is visited. Also, there are only a few known cases related to the abuse of DNS.

In summary this means that the actual damage or relevance of the abuse of the DNS is hard to determine. There are no reliable figures about the damage done by cybercrime related to the DNS. A clear majority of cybercrime starts with e-mail, but there are a lot of other ways to manipulate the end-user other than by abusing the DNS. The actual effect of securing e-mail by using DNSSEC on phishing is therefore hard to establish. It is obvious that DNSSEC enhances the security of e-mail, but the exact impact remains unknown.

For private parties – banks for example - this is a point of concern, since the decision to invest is based on the expected return-on-investment. A bank will only invest in security if there is a good reason to do so. Since there arn't many security incidents related to the DNS, this is not the case. An unwritten statement within the financial sector is that banks will not compete on cyber security. This often means that there is no urge to act, because competitors also do not act. The problem of missing DNSSEC is simply not serious enough.

No business case for access providers

For ISPs that provide access to their customers availability of services are key. Adopting DNSSEC by access providers can infringe this availability. If a signature is not validated (for instance because it is expired) a website cannot be reached by a visitor that uses DNSSEC enabled validation. The website with a bogus domain name cannot be visited by someone who uses DNSSEC enabled validation, but can be reached by regular validation. For the average user, the ‘fault’ is caused by his access provider. This leads to many phone calls to these ISPs. Since the average costs of a phone call to the helpdesk is about EUR 50, this is very costly for ISPs. Availability of services is also a main concern for banks. In the case of a bogus domain name, the website of the bank can become unreachable, a serious issue for the bank. Due to a monitoring program initiated by SIDN this problem has diminished (from around 4% to current level of 0,0012%), but DNSSEC is still perceived as risky for access providers.

Adopting DNSSEC is quite costly for access providers. There is open software available for these ISPs, and implementing this is not very complex (In one case, it was implemented in four weeks by two employees). Sometimes investment in new hardware is needed. In the case of a large ISP there is also a large resolver infrastructure, new hardware can be costly. In many cases infrastructure is over dimensioned and the larger DNSSEC queries cause no problems. Most of the effort to adopt DNSSEC is about educating employees and aligning (new) processes within in the organisation. Because of this, adopting DNSSEC for large access providers requires a substantial investment (EUR 200,000 – 300,000).

Against these downsides there are hardly any advantages for access ISPs in terms of higher revenues. Customers in general are not aware or not prepared to pay more for DNS validation done by their ISP. So, it is no surprise that access providers like KPN and Ziggo (together 80 – 85% of the market) both do not provide DNSSEC. Only some smaller ISPs do this. As a result, the current level of validation in the Netherlands is now approximately 22%.

Since access providers can only loose by adopting DNSSEC, it is not very like that ISPs will adopt DNSSEC validation in the near future. The low validation rate (22%) of access providers is also a reason for other stakeholders not to invest in adoption of DNSSEC. Thus, a ‘chicken-and-egg’ situation exists. Without intervention by policymakers, it is not likely that adoption levels will increase.

Concluding remarks

Although there is an adequate technical solution for DNSSEC adoption available for both registrars and access providers, statistics show mixed results. Signed domains are quite common (49%), but adoption remains low among access providers and some sectors like the banking industry. As discussed in these examples, there are reasons to believe that misaligned incentives and market failures cause this. Also, risks like unsecured DNS do not seem to materialise very often.

The question is how worrisome these adoption levels are. A central element in the approach should be a risk analysis. Such an analysis legitimises investments in cyber security. If a risk analysis points out that risks are limited or acceptable, it makes sense not to invest in a signed domain. It is rational to accept some degree of insecurity. In other cases, lack of adoption can be problematic. For instance, if sensitive (personal health or financial) information is exchanged. In these cases, liability should be properly addressed.

The main issue is the development of the number of (DNS related) cyber security incidents, that can be prevented with DNSSEC. It is difficult to predict how this will develop. Also, better measurement and data about these incidents are needed. Next to this there are other developments. New legislation like the GDPR is prepared, including severe penalties for data leakages, and a duty to inform. This will very likely have an impact on the return on investments for cyber security measures in the near future.

 

 

1 Comment

Willem Toorop says:
04 Apr, 2018 11:33 AM
DNSSEC is not only just a security measure, it is also a viable alternative for the flawed PKIX based on Certificate Authorities. With DANE (the DNSSEC based PKIX) domain owners can vouch for their own services themselves, without needing the third party Certificate Authority. DANE is already increasingly used with infrastructural services such as SMTP, but currently uptake on end-points is hampered by interfering middle-boxes.

Benno Overeinder wrote an excellent blog-post on these matters earlier this year: https://labs.ripe.net/Membe[…]and-privacy-to-the-end-user

Work to overcome the issues in bringing DNSSEC to the end-user devices is in progress. For example with the DNSSEC chain TLS extension with which the DANE record including all DNSSEC data needed to authenticate a TLS session is transferred in band in the TLS session, bypassing the DNSSEC hampering middleboxes: https://datatracker.ietf.org/[…]/
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.