The state of DNS security records 2019

My recent search for DNS hosting, reminded me that it’s been a while since my first state of DNS report. I had meant to do it every year so this is a bit late, I should probably set myself a reminder. At this point lets just say I missed 2018 and this is the 2019 report and I’ll try to remember for 2020.

TLDR: Summary

2019 RR overview
The deployment of security records in DNS has got slightly worse. The average score (out of 10) based on deployment of CAA, DKIM, DMARC, DNSSEC and SPF was 2.48 in 2017 , the same records checked today averaged 2.15 with this years data set averaging 2.42.
Two data sets where used this year, the 2017 lists and updated lists taken from the same sources.

Usage of IPv6, SPF and DMARC have seen significant decreases across both sets of data, off set only slightly by the small growth in adoption of DNSSEC, CAA and DKIM technologies. The growth in CAA usage is probably still explained by the comparative newness of the record type and thus the small gains to be had by deploying it. The almost across the board decrease in the deployment of security focussed DNS records is really quite depressing especially in light of the attacks on DNS infrastructure earlier in 2019.

RR Types2017 results2017 data set2019 data set
CAA3.94.6 (+0.7%)6.6 (+2.7%)
DKIM5063.4 (+13.4%)59 (+9%)
DMARC39.920.1 (-19.8%)23.6 (-16.3%)
DNSSEC65 (-1%)7.9 (+1.9%)
IPv631.310.6 (-20.7%)15.6 (-15.7%)
SPF83.777.7 (-6%)59 (-24.7%)
Data set size2,3141,8891,967

Methodology

My methodology was broadly the same as last year. I ran the DNS Security record checker across the lists of domains to determine usage of CAA, DMARC, DKIM, DNSSEC and SPF records. Whilst IPv6 usage is recorded it’s not considered for the purposes of the security assessment.
To give a useful score out of 10 the various records are marked as followed:

  • CAA – 2 points
  • DMARC 0-1 points based on the “pct=” value, 0.5 for “sp=quarantine” or 1 point for “sp=reject”.
  • DKIM 2 points
  • DNSSEC 2 points
  • SPF 1 point for a record, then 0 points for a “?all” policy, 0.5 for “~all” and 1 point for “-all”

DKIM scores may be under reported as discovery of such records depends upon the lookup for “_domainkey.example.com” returning something other than NXDOMAIN if the “identifier._domainkey.example.com” record exists.

Due to my inability to find a reliable list of “bad guys” I’ve dropped that from my report. As such the “bad guy” results are also not included in the 2017 results used for comparison here. I did replace the “bad guy” list with DNS-over-HTTPS providers which are almost the same thing. Also given the security focus of DoH I thought it would be interesting to see how they stacked up. The Alexa top 50, 100 top registrars, Cyber security 500 and ICANN accredited registrars were all taken from the same sources as last year. It’s interesting to note that there seems to have been a collapse of ICANN accredited registrars with the current list having over a thousand fewer entries than in 2017. Of the 2,314 domains on the list in 2017 425 of them no longer resolve.

The vendors list continues to be small and arbitrary having increased from 15 in 2017 to 23 this year. It is still an arbitrary list of vendors I consider significant in the DNS space.

The biggest change in methodology was how I constructed the list of DNS providers. In 2017 it consisted of just 27 large DNS vendors chosen based mainly on random lists of DNS hosting firms. This year the list contains 957 domains, some of which were chosen in the same way as previously. Added to that seed though was every domain used by the DNS servers providing DNS for the entries on the other lists. Simply put I took my other lists looked up the NS records for all of those domains and added the domains of those NS records to the DNS list. I think this is important as if the records of your name servers aren’t secure then what ever action you take will be of limited effect.

Findings

Sadly like last year it’s not a cheery site, with DNS providers and registrars letting down the entire industry. Which really undermines the efforts of everyone else, when the infrastructure they’re depending on is the weakest link of the chain.
Record type occurence
DKIM and SPF have a reasonable adoption rate with most groups being over 60% for both of them and the Alexa top 50 manage a decent showing for DMARC as well. DNSSEC adoption remains low, which is possibly excusable for most of us given how few DNS providers actually make it easy. What’s worrying though is that less than 10% of the domains for DNS providers (8.2%) and ICANN registrars (5.8%) DNSSEC sign their own zones. So no matter what steps we may take the systems we’re dependent on haven’t taken steps to secure themselves, so no matter how good a string box we have the banks haven’t even bothered with locks on the vaults. They are almost equally poor at taking steps to secure their email with the ICANN registrars only just managing to scrap over 60% deployment of SPF. So the systems we depend on for the security of out domains, haven’t secured either their own DNS nor the email systems they use to communicate. Quite frankly it’s no wonder that the bad guys are attacking the domain hosting companies and registrars to get to our DNS – they are the weakest link.

The security conscious DoH providers also need to take a long hard look at themselves, with less then 50% of them securing their DNS and less then 30% publishing CAA records. So for a security focussed offering that’s really rather insecure as in most cases we don’t know what CA should have issued their certificate and we can’t tell if the DNS records we use to reach them have been tampered with. Only 13% of the DoH providers both publish a CAA record and DNSSEC sign their domains.

So what about the good? There isn’t much, across the board the best we can manage is a 59% deployment of SPF and DKIM and in the case of SPF that represents an almost 25% reduction compared to 2017. In fairness that could be due to DNS providers and registrars not publishing negative SPF records for domains which shouldn’t sent mail. I don’t really think that that’s much of an excuse though as negative SPF records are easy to publish and combined with a DMARC reject record would ensure that those domains couldn’t be spoofed for next to no effort.
SPF policies 2019
When we look at the published SPF policies the picture is slightly better. Whilst fewer domains have SPF records, of those that do more of them are at either “~all” or “-all“, with substantial increase in the percentage confident enough to go to “-all” Sadly that small bit of up beat news is rather offset by the fact that the percentage of examined domains with DMARC policies set to reject has decreased as has the percentage of domains with any DMARC policy at all.
DMARC policies 2019

Back in 2017 I said:
Maybe I’ll repeat my survey next year and we’ll be in a better place.
Sadly it seems that despite the increasing number of attacks we’re actually in a worse place than we were in 2017. Almost across the board fewer domains are taking steps to deploy even the simplest of security focussed DNS records.
Apart from SPF and DKIM adoption of any other measure even amongst the firms that should be leading the way is deployed on less than a third of the domains examined. When you look at the key to keeping all of the other records secure, DNSSEC, whilst there’s been a slight increase even the Cyber Security 500 don’t get to 10% deployment. At this point it’s really not in the least surprising the bad guys both keep going after DNS infrastructure and that they keep succeeding.

I’m aware that I’m very much the pot calling the kettle black, but that doesn’t make me wrong just possibly a hypocrite. Honourable mention should once more be given to the NCC Group who are still the only* company to have deployed all of the DNS security records. If they keep it up I may have to make send them a trophy – as for the rest of us we really need to buck up our ideas.

*As I can’t reliably detect DKIM records there may actually be another 17 companies with everything deployed -that’s still a shockingly low number.
Update : I forgot I give partial scores there are 3 other domains with all the record types deployed but with DMARC in reporting only mode

Update : If you have any suggestions on how to improve any part of my methods or critiques of my methods/findings – please let me know.

Bookmark the permalink.

Leave a Reply