DNSSEC Report 2020-10 for Top 100 Banking Institutions

Study indicates most large banking institutions still do not fully use DNS Security

Research from the DNS Institute indicated that only 35% of the largest banking institutions use DNSSEC technology for verifying that their domain name data has not been altered. The analysis included 1594 domains owned by the 100 largest global banking institutions as defined in the S&P Global Bank ranking. Of the total domains, only 4.7% domains in the bank study utilized DNSSEC.

The Domain Name System (DNS) is the distributed database used for converting domain names into Internet addresses. DNSSEC, or Domain Name System Security Extensions, is a feature to help prevent accessing impersonated or fraudulent bank websites, for example. DNSSEC has been available for 15 years and mandated by the US government for federal domains since 2008.

Last year, DNS Institute reported that 16% of the largest banking institutions offered DNSSEC. In the new research, the banks with the most DNSSEC-signed domains were Svenska Handelsbanken AB (13), Oversea-Chinese Banking Corp. Ltd. (10), Danske Bank A/S (10), and Lloyds Banking Group PLC (9).

No banks had DNSSEC for all of their domains. Seventy-five percent of the Lloyds Banking Group domains, 67% of the Danske Bank domains, and 53% of the Oversea-Chinese Banking Corp. Ltd. domains were DNSSEC-signed in the research.

Thirty-three domains used an RSA key size smaller than the recommended 2048 bits. Eleven domains used a non-recommended RSA/SHA-1 algorithm. Three domains had valid signatures over three months old (indicating an infrequent re-signing period). Fourteen domains had a signature expiration within three days.

One domain owned by Svenska Handelsbanken had an expired DNSSEC signature.

Sixty-two domains (from eight banks) were DNSSEC-signed without a chain-of-trust due to no parent Delegation Signer (DS) records. This indeterminate status indicates experimentation or upcoming DNSSEC deployment plans.

DNS Institute offers exhaustive DNS analysis and commercial monitoring based on IETF RFC specifications and best practices, government requirements, and registry guidelines. This particular recent bank study had 13 domains that had no working delegations, 88 domains with TCP failures for at least one nameserver, 1146 domains had at least one IPv6 failure, and 658 had complete IPv6 failures. For this single bank study, 47 unique checks indicated problems for a total of 106,009 detected anomalies. Additional bank research identified several security vulnerabilities.

DNS Institute frequently publishes research and educational reports. Follow them via Facebook at https://facebook.com/dnsinst/ and Twitter at https://twitter.com/DNSInstitute .