The Lack of DNSSEC Explained: Risks, Barriers, and Solutions

The Lack of DNSSEC Explained: Risks, Barriers, and Solutions

The lack of DNSSEC is a problem that affects a large number of domains worldwide. It is a very powerful security feature, but its adoption has not been as widespread as one might expect.

In fact, the SIDN indicates that, as of October 2024, only about 5% of .com domains were signed with DNSSEC. Considering that .com is the most widely used TLD in the world, this makes it clear that DNSSEC adoption is very low.

So, why does this happen? Is DNSSEC really that good or not? We’ll cover all of that and more below.

What is DNSSEC

What is DNSSEC

To understand what the lack of DNSSEC implies, we must start with the basics. We all know that the DNS system is often called “the phonebook of the Internet,” since its task is to convert domain names, which are easy for people to understand, into IP addresses, which computers and servers use to communicate.

While the DNS system is absolutely critical for the functioning of the Internet, the reality is that the original protocol was not designed with the level of security that it should have, given its huge importance today. And this is where DNSSEC comes into play.

The job of DNSSEC is to add a layer of authentication using digital signatures to make sure that the DNS response comes from the correct source and has not been altered in transit. The ICANN states that “DNSSEC strengthens DNS authentication using digital signatures based on public key cryptography.

When a user accesses a domain protected with DNSSEC, this system ensures that the response is cryptographically validated, preventing the user from receiving records that have been tampered with.

In other words, what DNSSEC does is prevent an attacker from injecting false information into the DNS query process. Just as the DNS system tells us “where to go,” DNSSEC makes sure we are going to the right place. The lack of DNSSEC is a problem that should not be overlooked.

Why DNSSEC Matters

The lack of DNSSEC is very dangerous because, without this protection, DNS queries travel across the Internet without any kind of validation, which makes them a target for attackers.

These individuals can take advantage of certain vulnerabilities and weaknesses with techniques such as DNS spoofing and cache poisoning, thereby injecting false information into the DNS response the user receives. As a result, the user can be redirected to a fake website that looks like a legitimate one, and once there, fall victim to theft of sensitive data, such as login credentials, credit card numbers, and more.

DNSSEC prevents this from happening by making the DNS response trustworthy, since those responses must go through cryptographic validation, which prevents the user from receiving false information and ensures that the response comes from a reliable source.

For certain sectors, such as banking, online stores, healthcare, and government entities, this type of security is essential. The lack of DNSSEC can have serious legal and economic consequences, and other risks, for instance, SPF misconfigurations, can further expose domains to spoofing and phishing attacks.

Current State of Adoption

Despite its importance, the reality is that the lack of DNSSEC is a serious problem, as the adoption of this security feature is very low worldwide. In fact, at the start of the article, we mentioned that its DNSSEC adoption in the most used TLD barely reaches 5% globally.

Although certain TLDs must include it, such as .gov or .bank, the reality is that many extensions and registrars see it as something completely optional. Many times, even if a registrar provides the feature, the domain owners themselves do not enable it.

The truth is that DNSSEC adoption varies greatly by industry and sector. It is more commonly adopted in sectors where it is required for compliance purposes, such as governments and financial institutions.

Lack of DNSSEC Risks

The lack of DNSSEC leaves both organizations and end users exposed. DNS hijacking is one of the biggest risks: a third party can intercept and alter a DNS query to redirect traffic to a malicious site. These types of websites are used to harvest data, install malware, or simply steal from users.

Cache poisoning is another fairly common attack, and consists of false DNS records being stored in a resolver’s cache, which can affect a large number of users simultaneously. Attackers may even exploit known CVEs affecting DNS servers to manipulate responses, highlighting why the lack of DNSSEC is a critical concern.

For businesses, the lack of DNSSEC can have consequences that go beyond financial loss, leading, for example, to a drop in trust toward the brand or even legal issues.

Barriers to Adoption

If DNSSEC is so effective, then why is the lack of DNSSEC still so common? Why hasn’t this feature become widespread? The main reason is its apparent complexity. Many domain and DNS administrators see DNSSEC as difficult to implement and maintain, particularly because of the use of keys that require regular rollovers.

The reality is that while DNSSEC is great from a security standpoint, it must be handled very carefully; otherwise, a misconfiguration can make your domain go offline.

Another reason behind the lack of DNSSEC is the lack of awareness, since many domain owners believe that having other security measures, such as a TLS/SSL certificate, is enough to protect their website, without realizing that DNSSEC is a completely different protection with a different focus.

There is also an issue of compatibility, since there are old DNS systems that may not be compatible with DNSSEC.

Who Should Care About DNSSEC

The truth is that all domain owners should use this security feature; we have already seen the consequences of the lack of DNSSEC. However, it is also true that the level of risk can be higher or lower depending on the sector.

As we mentioned before, financial institutions, government agencies, and healthcare providers are seen as high-value targets by attackers, and this makes DNSSEC an almost mandatory measure to protect clients, citizens, and patients. E-commerce sites also face many risks, since attackers can use fake sites to steal credit card data and login credentials.

Startups and small businesses are also vulnerable, because attacks like DNS hijacking and risks from security misconfigurations can affect not only their finances but also their brand reputation, which could hinder their growth.

Technology companies, SaaS providers, and businesses that handle sensitive data can also benefit greatly from implementing DNSSEC and thus gain an additional layer of security. Without DNSSEC, attackers can create phishing subdomains that mimic legitimate sites, tricking users into revealing sensitive information.

Addressing the Lack of DNSSEC

Today, implementing DNSSEC is a much simpler process than it was years ago when this protocol was launched. Let’s see how to proceed.

  1. The first thing we must do is confirm that our hosting provider, which generally provides the DNS service, supports DNSSEC. Once confirmed, you must enable DNSSEC in the control panel of your domain, such as cPanel or another.
  2. As part of this process, two keys are generated: a ZSK and a KSK. The records in the DNS zone are signed with the ZSK, producing RRSIG (signatures) records and DNSKEY (public keys) records.
  3. From the KSK, the system generates what is called a Delegation Signer (DS) record. This record must be saved because we will use it in the registrar of the domain.
  4. The next step is to access the control panel of our domain registrar and there activate DNSSEC, for which we will have to provide the DS record generated in the hosting provider’s DNS system. Then, our domain registrar will send the information to the registry of our TLD, which will validate it and mark DNSSEC as activated for our domain.

Is that it? Well, actually yes, we just need to remember to perform maintenance from time to time, which consists of rotating the generated keys. The ZSK key can be rolled over about every 3 months, and once a year is fine for the KSK key. In some cases, providers even do this automatically.

Summary

The lack of DNSSEC leaves domains, businesses, and users exposed to serious security risks. Fortunately, implementing DNSSEC is now easier than ever and provides a strong layer of protection against DNS attacks. Whether you run a large enterprise or a small startup, enabling DNSSEC is a simple step that greatly strengthens your online security.

Scroll to Top