1 minute read
3 DNS CONFIGURATION DNSSEC
The Domain Name System SECurity extensions (DNSSEC) are an extension to the DNS protocol that provides cryptographic assurance of the authenticity and integrity of DNS response messages. DNSSEC provides protection against network attackers who can manipulate recursive (or caching) DNS servers, preventing victims from being redirected to false sites. The DNSSEC solution works by authenticating DNS responses based on public key cryptography. Authoritative DNS servers electronically sign the transmitted content in the text records, and caching DNS servers or hosts can verify the authenticity of the received information based on the public key stored in the text record of the domain. 54 percent of the institutions’ domains have DNSSEC set, 46 percent do not. In the case of domains that are not properly configured, there may be reasons (use for special purposes or internal use by institutions) why the configuration may not be justified.
4 Summary Of Conclusions From The Hardenize Data
The technical data collection and analysis developed by the SSNS-NCSC was incorporated into the analysis process of the project to compare the incident analysis and threat trends identified during the Pilot Project with the technical data collected by the SSNS-NCSC. Analysis based on individual institutional configuration data shows that there is no clear correlation between the security level of each institution’s domain configurations and the incident data of the institutions. Most of the incidents during the Pilot Project were not due to attacks, but could be traced back to operational problems.
Based on the domain data provided by the institutions, the SSNS-NCSC ran a Hardenize scan at the beginning of each month of the Pilot Project. Although we have six months of data on the different domain configuration statuses, only the data from the beginning of August was used in the presentation of the technical data. On the one hand this is explained by the fact that the data for August 2022 represent the most recent technical situation, and on the other hand, we have not seen any significant configuration changes between the different months. Only a very few of the reviewed configuration states changed over the six months of the Pilot Project, indicating that domain related configuration parameters change over a longer time span for financial institutions in general.
Finally, it can be concluded that, although the settings described in Chapter V are not new and have long been an established practice, they do not seem to be a priority in all cases for the institutions under review.