A traversal view of the .nz space: security
Sebastian Castro •
At InternetNZ, we are passionate about the .nz domains, and we are always looking for new things to learn about it. In this series of blog posts, we’d like to show the difference between namespaces under .nz.
Here’s what you’ll learn about:
Blog post 1 (the one you are reading): Actively looking into the DNS: email services and security in .nz namespace.
So what’s in the .nz space? An overview.
Within .nz, domain registrations can happen directly using .nz (example.nz) or under one of the fifteen subspaces, like .co.nz (trademe.co.nz) or .govt.nz (covid19.govt.nz). Not all spaces are open to registration by anyone. For example, .govt.nz is only available to government organisations.
For this story, we are going to divide the .nz domains into four groups: .nz for domains registered directly under .nz, .co.nz for domains under .co.nz, .govt.nz, and other, capturing the remaining thirteen subspaces (.net.nz, .org.nz, .kiwi.nz, etc.)
The .co.nz domains are solidly the majority in our namespace, followed by .nz domains. Over the years, registrations directly under .nz are gaining space against the other group. The .govt.nz has around 1,000 domains that are hard to distinguish.
Actively looking into the DNS
The DNS is one of the most fundamental protocols that hold the Internet together. It’s heavily used to signal the availability of a certain service or a technology for a domain. If you want to visit a web page or send an email, computers will be using the DNS to find out where to connect.
Since 2019, we have been tracking some of those signals for all .nz domains. We have been looking for the adoption of new services or security practices. In this blog, you will see how those have evolved and how prevalent they are.
Email services and security
In Figure 2, we can see how different groups show to the world they have mail service. .co.nz, .govt.nz and other have around 61% of their domains with an MX record, .nz is an exception with lower adoption rates at 43%. Overall, support for mail services has been slightly reducing.
Also, in Figure 2, we can see support for Sender Policy Framework (SPF). It is a technology that helps to protect the domain against spoofing (someone impersonating your emails). It also helps to prevent the emails coming from your domain to be marked as SPAM.
The good news is SPF adoption has been growing across all groups in the last two years. What could be seen as bad news is only half of the domains that are ready to receive email have SPF enabled, except for .govt.nz where the coverage goes to roughly two thirds.
Let’s take a look at two complementary technologies: DKIM (DomainKeys Identified Mail), designed to protect email messages across domains, ensuring they haven’t been altered while they travel through the Internet; DMARC (Domain-based Message Authentication, Reporting and Conformance), designed to answer the question what happens when messages failed SPF and DKIM verifications. For the same set of groups, the adoption of technologies is shown in Figure 3.
It’s good news to see the adoption of DMARC across government domains doubling each year. However, there is still a road to complete to have the full set of capabilities enabled. Other groups are shy on implementing the same, all of them under 10% adoption.
You may believe that you need to get an SSL certificate, and you are done to have a secure website. Unfortunately, the ability to get a certificate from any provider for any domain has been identified as a weak link by the industry. The CAA (Certificate Authority Authorization) standard was created in 2013 and adopted by the Browser community in 2017. It defines a mechanism in the DNS to tell which Certificate Authorities are authorized by the domain holder to generate a valid certificate for their domain.
Despite being actively used by the browsers, adoption is not very high if we look within .nz. The results are shown in Figure 4.
The leader in CAA adoption is the .govt.nz namespace, currently with 6.7% of their domains publishing a CAA record. We can compare this result with data from Qualys and their SSL Pulse collection. It shows that across the top 150,000 domains in the Alexa ranking, 9.0% have a CAA record.
DNSSEC is a set of DNS extensions that allow the cryptographic signing and validation of data in the DNS. This adds a whole new layer of protection to this essential protocol, however, to get the full benefit, it requires domain signing and DNSSEC validation.
According to measurements conducted by APNIC, New Zealand has an adoption rate of DNSSEC validation of 89.84%, which places it in the Top 30 around the world and well above our neighbours across the Tasman Sea. That’s a good place to be, thanks to the efforts of local ISPs for enabling this over the years. On the domain signing side, .nz was first signed back in 2012, there have been nine years available to our domain holders to implement it for their domains. Below, in Figure 5 and Figure 6, there is a stark story.
By 2021, half of the government domains have DNSSEC enabled, which is great news. It results from a great effort from the Department of Internal Affairs (DIA) to design and implement DNSSEC. It’s worth noting that having DNSKEY records for a domain is one part of the story. If the domain wants to benefit from validation, they need to have DS records as well. You can see govt.nz domains are well aligned in that regard. Moving on the dark side of this story, please check Figure 6.
DNSSEC adoption for domains not in the .govt.nz namespace is under 2%. That’s a massive contrast, more so considering there are providers like Cloudflare that offer DNSSEC for free. It’s a missed opportunity to provide more security to your domains and the services operating under them.
Sum it up
To sum this blog post up:
- Government sites under .govt.nz are leading the way on the adoption of security technologies like SPF, DKIM or CAA, but there is still a lot of work to be done.
- The combination of the high level of DNS validation and govt.nz adoption of DNSSEC provides assurance against DNS spoofing.
In the next blog, we’ll explore .nz domain names activity and popularity. Stay tuned!