DNSSEC is one of those foundational security pieces that is often overlooked. Nearly all domains in .SG (Singapore) have https, many have some form of transport security (TLS) on their email, but other than in the government space (gov.sg), very few have DNSSEC. This is truly a tragedy – and I’ll try to explain why in a way that laymen hopefully can understand. This means starting with basic stuff that you hopefully know a bit about. Let’s start with HTTPS:
What HTTPS protects (and what it doesn’t)
https attempts to protect the request you send to the webserver and the reply you get from being eavesdropped on when you pass through the Internet. It also protects the information from being modified while it is moving across the Internet. For the most part this works, but only if you make it compulsory – so that any users trying to connect using http are forced to use https instead – this is called HTTP Strict Transport Security (HSTS). Unfortunately, HSTS kicks in only the first time a user connects (unless you are on the preload list, but that’s another can of worms). So, if you have a new computer, or if your browser goes nuts and your wipe the browser memory, HSTS might not kick in at all. HTTPS and HSTS presumes that users actually connect to your webserver rather than a webserver belonging to a bad actor – otherwise it’s entirely possible for a phishing website running http to sit between your server and your users – unless your domain runs DNSSEC, because that stops the bad guys from being able to point your domain elsewhere.
How safe is your email?
Sadly, without DNSSEC, email being sent to yourname@yourdomain.com on your mail server can be intercepted by anyone with administrative access to a network the email crosses. So that’s every ISP between the sender and your mail server. That’s a lot of networks. If you’re lucky, the email never reaches you – so at least you know bad things are happening. If they’re stealthy, they could be reading all your incoming email that passes through them for a very long time. Sounds far fetched? It happens everyday now in authoritarian regimes with little respect for human rights. Not only can they read the email intended for you, they could also modify the contents and cause endless miscommunication and distrust between you and your correspondents.
How does domain signing work?
Domain signing lets DNSSEC aware clients verify that the information received is what was intended by the domain owner. If you receive a response for a signed domain, you can be 100% sure that it is what was originally published by the domain owner. Sounds simple, but this simple concept requires your domain hosting (and registrar) to jump through quite a few gnarly cryptographic hoops.
How do I check if my domain is signed?
Fortunately, the Cyber Security Agency (CSA) in Singapore has kindly provided a Internet Hygiene Portal (https://ihp.csa.gov.sg) where you can check the security status of your email and web servers. If you scroll about midway down, you’ll find a heading called Web Domain Security – which is responsible (at the time this article was written) for 16% of your score. So if you’re missing this, you’ll score no better than 84% – not even an A (and remember, if you’re Asian, “A is for Average”.
Most of the other stuff on the scorecard you will likely be able to get your existing web host to fix, but you’re likely to find little help both online and from your current domain host on signing your .SG domain. There’s a few reasons for this. For one, prior to the infrastructure being ready (SGNIC in late 2016, and the root KSK rollover in 2018), rolling domain signing out at scale would have been irresponsible. For another, it’s really really hard the first few times you do this, and very few domain hosts (nobody other than us that we know of in Singapore) have invested the time, money and resource to build this. Bear in mind that this is not a one-time thing – not only does the domain need to be signed when you first implement DNSSEC, in order to keep it running securely, the Zone Signing Key (ZSK) and the Key Signing Key (KSK) need to be rotated regularly to keep the bad guys out.
How can Lightspeed help?
Well, we can really only help you sign a domain if we register/renew your domain AND host it – that’s because we already have the process in place all the way from the root of .SG to make sure your domain not only gets signed right but also that the regular ZSK and KSK rollovers happen seamlessly.
How much is this going to cost me?
We saved the best for last – even though a .sg domain is not the cheapest in the world, the good news is that moving your domain to us costs nothing, 1st year registration and renewals are S$59 for one year S$88 for two years, which is what you expect from a .SG registrar anyway. So basically, DNSSEC for .sg domains is now free 1For those of you who have domains ending in .com, .co or any top-level domain TLD other than .sg that do support DNSSEC, the regular annual fee of US$10 applies. Unfortunately, not all other TLDs support DNSSEC and painless for your .sg domain – all you have to do is say yes by clicking one of the two buttons below: