Bang for buck: the adoption of DNSSEC and return on investment

By on 24 Apr 2018

Category: Tech matters

Tags: , , ,

Blog home

The current perspective of cybersecurity is still dominated by the technical nature of many security issues. Within the technical community, there is consensus about the necessity of providing a secure DNS, guaranteeing integrity and authentication of the presented domain name. Although there are challenges, there is progress.

Open source software has been developed, which enables registrars and access providers to adopt DNSSEC against reasonable costs. Problems with availability, due to bogus domain names, have diminished in recent years.

Although there are positive results (49% of .nl domain names are DNSSEC signed), there are also other statistics that are cause for concern.

Recent research from SIDN (the .nl registry) reveals that there are large differences between sectors when it comes to adopting DNSSEC. Within the (semi-) public sector most domain names are signed, while the banking sector has almost completely ignored the solution. In addition to this, currently only one out of five Dutch access providers support DNSSEC.

There are obviously other factors than the properties of DNSSEC that explain the observed differences. However, since security is intransitive, one missing part in the chain will diminish the advantages of DNSSEC.

In this article, I will discuss the economic aspects of DNSSEC adoption that play an important role in the adoption of DNSSEC. To do this, the adoption level of several actors will be explained by analyzing costs and benefits. Concepts retrieved from microeconomics, like market failures and misaligned incentives, will be used to understand the behaviour of actors that, all together, provide Internet services to their end user.

Market failures and registrars

Domain registrars play an important role in deploying DNSSEC – they provide a secured domain name to their customers, the registrants.

The market for domain names can be considered a commodity market. The registration of domain names is a low-margin business, usually complementary to conventional ISP services like web hosting and email.

There are about 1,350 registrars in the Netherlands that register available domain names. Many registrars advertise with the price. Some registrars position themselves as safe and secure, usually with a small market share.

Only a minority of the registrars offer DNSSEC-signed domains — approximately one out of ten registrars present DNSSEC as a default. It is not easy to tell for a registrant whether a registrar offers DNSSEC.

For a registrant, the challenge is to choose a good name that is available; security reasons hardly play a role in choosing a registrar.

In many cases, the price is the most important criterion. Large companies like KPN and GoDaddy offer domain names cheaply, with DNSSEC as an option that comes with considerable costs (and is cumbersome to activate).

RegistrarDNSSECCosts on a yearly basis
On averageNoEUR 4.00
KPNNoEUR 3.96
GoDaddyNoEUR 3.99
Trans IPYesEUR 7.49
BitYesEUR 15.00 – 20.00
ISPYesEUR 24.00
XS4allYesEUR 30.00

Table 1: Costs for registration of a domain name under .nl. Prices are presented on the following websites: KPN, GoDaddy, TransIP, XS4all and interviews with BIT and ISP from 23 October 2017. Temporary price cuts are left out. In the case of KPN, optional use of DNSSEC costs an additional EUR 20.00 per year. GoDaddy offers a ‘premium package’ that does include DNSSEC, which costs an additional EUR 35.00 per year.

Cost differences between a regular and a signed domain are considerable. The largest registrars do not offer DNSSEC (by default) and sell domain names for a low price. It is very likely that this is caused by registrants’ unawareness of the advantages of DNSSEC-signed domain names. Only with tools like Internet.nl or browser extensions, such as exist for Firefox or Chrome, is it possible to see if DNSSEC is used. Since the registrant is unaware, there is pressure to lower the price. As a result, the ‘bad’ products (no DNSSEC) will drive out the ‘good’ (DNSSEC signed).

But even if the registrant is aware of the advantages, there are also other considerations that cause registrants to not adopt DNSSEC.

It is the registrant that pays a higher price for a signed domain name,  but it is the end user who profits from it. Since liability is difficult to address, there is not much incentive to provide a secure domain name.

So, it is not surprising that registrars that do offer DNSSEC indicate that a minority of the registrants asks for DNSSEC. Those who do, are often (semi-) public institutions. Some ISPs that offer DNSSEC are small innovative businesses, that are positioned in the high-end market. Their core business is to build platforms, and domain names are a prerequisite to do so. Since the costs for a domain name can be neglected when a platform is built, the somewhat higher costs (EUR 15.00 to 20.00 on a yearly basis) for a DNSSEC domain name are not a problem.

Incidents are hard to relate to DNS abuse

About a decade ago, Kaminsky proved that vulnerabilities of the DNS can be exploited. If the DNS is corrupt (for instance by ‘cache poisoning’), the end user can be directed to a malicious website. This can be risky when sensitive (personal) information is exchanged, or a financial transaction is done. Mail security is also tied to (the security of) the DNS. A network attacker can spoof the DNS records of a mail server, to redirect mail connections to a malicious server.

One could state that the strongest incentive for adopting DNSSEC, from a security perspective, is safer email.

Email, by itself, is not protected against eavesdropping, forgery, or manipulation. For an average user, it is very hard to establish the authenticity of the sender. Also, phishing mail is getting better and it is becoming difficult to establish the difference between an original message and phishing mail.

DNSSEC in combination with STARTTLS makes it possible to guide email (SMTP) by using a secure connection. This could help to reduce phishing — still by far the most important trigger for cybersecurity incidents.

There are also several other ways of phishing without abusing the DNS. It can be done, for instance, by URL-spoofing. The URL of a bank can be mimicked, so the end user thinks the real website is visited, while this is a fake one. Phishing can be done by using other characters in domain names, that look like the real URL. Compromised domains can be masked with URL shorteners too, so visitors cannot determine the real web address that is visited. Also, there are only a few known cases related to the abuse of DNS.

In summary, this means that the actual damage or relevance of the abuse of the DNS is hard to determine. There are no reliable figures about the damage done by cybercrime related to the DNS. A clear majority of cybercrime starts with email, but there are a lot of other ways to manipulate the end-user other than by abusing the DNS. The actual effect of securing email by using DNSSEC on phishing is therefore hard to establish; it is obvious that DNSSEC enhances the security of email, but the exact impact remains unknown.

For private parties — banks for example — this is a point of concern since the decision to invest is based on the expected return-on-investment. A bank will only invest in security if there is a good reason to do so. Since there aren’t many security incidents related to the DNS, this is not the case. An unwritten statement within the financial sector is that banks will not compete on cybersecurity. This often means that there is no urge to act because competitors also do not act. The problem of missing DNSSEC is simply not serious enough.

No business case for access providers

Availability of services is key for ISPs that provide access to their customers. Adopting DNSSEC by access providers can infringe this availability. If a signature is not validated (for instance, because it is expired) a website cannot be reached by a visitor that uses DNSSEC-enabled validation. The website with a bogus domain name cannot be visited by someone who uses DNSSEC-enabled validation but can be reached by regular validation.

For the average user, the ‘fault’ is caused by their access provider. This leads to many phone calls to these ISPs. Since the average cost of a phone call to a helpdesk is about EUR 50.00, this is very costly for ISPs.

Availability of services is also a main concern for banks. In the case of a bogus domain name, the website of the bank can become unreachable, a serious issue for the bank. Due to a monitoring program initiated by SIDN, this problem has diminished (from around 4% to current level of 0.0012%), but DNSSEC is still perceived as risky for access providers.

Adopting DNSSEC is quite costly for access providers. There is open software available for these ISPs, and implementing this is not very complex — in one case, it was implemented in four weeks by two employees. Sometimes an investment in new hardware is needed. In the case of a large ISP, there is also a large resolver infrastructure, which can be costly. In many cases, infrastructure is over-dimensioned and the larger DNSSEC queries cause no problems.

Most of the effort to adopt DNSSEC is about educating employees and aligning (new) processes within in the organization. Because of this, adopting DNSSEC for large access providers requires a substantial investment (EUR 200,000 to 300,000).

Against these downsides, there are hardly any advantages for access ISPs in terms of higher revenues. Customers, in general, are not aware or prepared to pay more for DNS validation done by their ISP. So, it is no surprise that access providers like KPN and Ziggo (together 80 to 85% of the market) both do not provide DNSSEC. Only some smaller ISPs do this. As a result, the current level of validation in the Netherlands is now approximately 22%.

Since access providers can only lose by adopting DNSSEC, it is not likely that ISPs will adopt DNSSEC validation in the near future. The low validation rate (22%) of access providers is also a reason for other stakeholders to not invest in adopting DNSSEC. Thus, a ‘chicken-and-egg’ situation exists: without intervention by policymakers, it is not likely that adoption levels will increase.

How worrisome is low adoption levels of DNSSEC?

Although there is an adequate technical solution for DNSSEC adoption available for both registrars and access providers, statistics show mixed results. Signed domains are quite common (49%), but adoption remains low among access providers and some sectors like the banking industry. As discussed in these examples, there are reasons to believe that misaligned incentives and market failures cause this. Also, risks, such as unsecured DNS, do not seem to materialize very often.

The question is how worrisome these adoption levels are. A central element in the approach should be a risk analysis. Such an analysis legitimizes investments in cybersecurity. If a risk analysis points out that risks are limited or acceptable, it makes sense not to invest in a signed domain. It is rational to accept some degree of insecurity. In other cases, lack of adoption can be problematic, for example, if sensitive (personal health or financial) information is exchanged. In these cases, liability should be properly addressed.

The main issue is the development of the number of (DNS related) cybersecurity incidents, that can be prevented with DNSSEC. It is difficult to predict how this will develop. Also, better measurement and data about these incidents is required.

There are other developments. New legislation, like the GDPR, includes severe penalties for data leakages, and a duty to inform. This will very likely have an impact on the return on investments for cybersecurity measures in the near future.

Original post appeared on RIPE Labs.

Rene Bakker currently works as a Product Owner IAM within the Economic Department of the Netherlands. He recently finished a Masters in Cybersecurity at the University of Leiden.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please reload CAPTCHA.

Top