Number of DNSSEC-Signed .CH Domains Jumps 8-Fold in 2 Years

The number of DNSSEC-signed .ch domain names has jumped by 80% in the 12 months from January 2018, from around 45,000 to 81,000, and 8-fold from the 10,000 at the beginning of 2017.

The increase, while dramatic, still only means that the total number of domain names in the Swiss country code top-level domain (ccTLD) “is still very low at around 3-4%” of the total number of .ch domain names.

The signing of domain names with Domain Name System Security Extensions (DNSSEC) was given a push in February with ICANN calling for full deployment of DNSSEC across all unsecured domain names following increasing reports of malicious activity targeting the DNS infrastructure. The organisation also reaffirmed its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.

One reason for the jump in DNSSEC-signed domain names according to a post on the SWITCH Security blog is that Infomaniak started signing all newly registered domain names by default. In March 2019 more than 10,000 .ch domain names were newly signed with DNSSEC. Overall there more DNS hosters and registrars signing their domain names, but the reason for this “jump” was FireStorm, a Swiss webhoster and registrar who signed several thousands of domain names on their DNS server.

FireStorm signed them by publishing Child DS (CDS) record sets in the zones on his authoritative name servers, according to the post. This feature was introduced by SWITCH at the end of 2018 and activated in the beginning of 2019 for all .ch and .li domains. SWITCH believes that CDS makes DNSSEC signing much easier for DNS hosters, especially if they are not the registrar for some of their domain names.

So far most ISPs in Switzerland argued that they don’t need to validate DNSSEC because nobody is signing their domain names with DNSSEC, SWITCH notes in the blog post. They note most DNS hosters have argued that, as long as no Swiss ISP is validating, there is no point in signing domain names. Now that we see a strong surge in DNSSEC signed .ch domain names and more ISPs and corporate networks validating, these arguments are no longer valid.