A Closer Look at DNSSEC on U.S. Government Websites

Earlier this month, ITIF published a report that benchmarked the most popular federal websites using four metrics: page-load speed, mobile friendliness, security, and accessibility. Since that time, we have received feedback from many government workers in charge of monitoring and improving federal websites about how they are using this information. We are encouraged by the response, as a number of federal agencies have updated their websites.

We have also received feedback on the metrics we used to evaluate websites, and how to refine them in future iterations of this report. One particular area of interest was the metric we used to assess domain name system security (DNSSEC), which is the set of protocols that add security to domain name system (DNS) lookup and exchange processes. In the spirit of continuing the discussion about how to improve federal websites and the metrics used to evaluate them, this post explores the tool we used in the report to evaluate DNSSEC and offers additional details about the results. We also offer new scores for all websites which originally scored 0 on this metric.

Evaluating DNSSEC Implementation

The domain name system translates human-readable domain names (such as itif.org) to numeric IP addresses (such as 209.61.166.194). The original DNS system had poor security, so it was possible for an attacker to return false information and direct users to malicious websites. DNSSEC adds a layer of security so that users can authenticate that the responses they receive to a DNS lookup are valid. By using DNSSEC, federal agencies can establish a “chain of trust” for the domains they manage.

We tested the implementation of DNSSEC on federal websites using “DNSSEC Debugger,” a web-based tool made by Verisign Labs that inspects the digital certificates associated with a website’s domain. The tool shows a step-by-step validation for a specific domain, highlighting any problems it discovers. The tool then validates each step in this process with a “good,” “warning,” or “error.” In the ITIF report, if a website showed that each step in the process was either “good” or only elicited “warnings,” then we gave the website a score of 100. If it had an “error” in any step in the process, then we gave it a score of 0. We found that of the 297 websites tested, 10 percent (30 sites) had at least one error.

Based upon feedback we have received, we decided to look more closely at the sites that had errors. We retested the sites that failed, and we found four websites that no longer had errors: llnl.gov, ojp.gov, arm.gov, and cftc.gov.

Of the remaining website, we encountered three types of errors when running this test:

1. Some websites did not have DNSKEY or RRSIG records for a domain. These records hold the public keys and signatures used to implement DNSSEC on a domain. The absence of these records means that DNSSEC is not implemented on the domain. Therefore, we gave these websites a failing score of “0” on this test.
2. Some websites have not established delegation signer (DS) records for the domain in the parent zone. (A parent zone houses another domain zone. For example, fed.us is the parent zone of fs.fed.us.) Without these records, users have no “chain of trust” to validate the DNS information received about these domains. These websites have DNSSEC misconfigured, but since they attempted to implement it, we gave them a failing score of “50” on this test.
3. One website (osti.gov) had a persistent error where the domain’s public keys and signatures would often not validate a particular DNS record. Despite this error, DNSSEC is enabled on this site. Therefore, we gave this site a passing score of “75” on this test.

Scores

We rescored the 30 domains which generated errors when we first tested them in November 2016. The new scores are based off data gathered in March 2017, so federal agencies may have made changes to some of these websites since then.

The following table lists the dynamic DNSSEC scores for each of these domains, as well as the errors each domain encountered on the DNSSEC Debugger.

*On osti.gov, DNSSEC Debugger intermittently generates the following error: “None of the 2 RRSIG and 4 DNSKEY records validate the A RRset. The A RRset was not signed by any keys in the chain-of-trust.”