With so many things relying on the security of DNS (it controls your SPF, your DKIM, your CAA, generating SSL for your domain, …), and with DNS security being one of the keys to avoiding a man-in-the-middle attack, it behooves us to make sure it is ultimately very secure.
This means the usual (2-factor authentication, locking the domain, etc), but it also means enabling DNSSEC. And this is not very common. According to ISOC, and associated reports, we are not looking great. 1400 of 1544 TLD are signed (so not terrible I guess), but we are looking more like 12% for the global list.
You can test your own domain here, my results shown at right. If you are not DNSSEC, I would recommend taking some action to enable it.
Breaking down per country, we can see that Canada is @ 13.37%, slightly worse than The Democratic Republic of Congo (side note, you notice how countries with the word Democratic in the name rarely are?)
So, who here is going to go and see how to get DNSSEC on their domain? If your registrar doesn’t support it, ask them to, or threaten to move. Its very simple to move your domain from one registrar to another.
This is a very cheap way of improving your security.
Leave a Reply