DNS Institute recently analyzed 1590 DNS domains owned by the 100 largest banking institutions as defined in the S&P Global Bank ranking from ABN AMRO Group NV through Woori Financial Group. Of those, 150 had a parent zone identifying the domain had DNSSEC and 207 domains had a DNSSEC signature.
Twenty-eight of these banking institutions had at least one domain with DNSSEC. This was a drop from DNS Institute's report from two years ago. The number of banking domains using DNSSEC seen in our research doubled to 9.4%.
DNSSEC (Domain Name System Security Extensions) is a feature to help prevent accessing impersonated or fraudulent bank websites, for example. DNSSEC has been available for over 17 years and mandated by the US government for federal domains since 2008.
In our new research, the banks with the most DNSSEC-signed domains were State Bank of India (26), Skandinaviska Enskilda Banken AB (22), and Svenska Handelsbanken AB (15). Twenty-three domains had signatures expiring within three days and two domains expiring within one day. Twelve domains used a non-recommended RSA/SHA-1 algorithm. Thirteen domains has a signature with a zero second caching time-to-live. One domain had its RRSIG Inception/Expiration validity period longer than a year.
Fifty-seven domains (from nine institutions) were experimentally or partially DNSSEC deployed. They were DNSSEC-signed without a chain-of-trust due to no parent Delegation Signer (DS) records.
DNS Institute offers exhaustive DNS analysis based on IETF RFC specifications, government mandates, registry requirements, and best practices. For example, this particular recent bank study detected that 28 nameservers didn't answer over IPv6/UDP, nameservers using private (internal) addresses, 15 domains with (supposed) nameservers that didn't have addresses, 13 authoritative nameservers offered public recursive service, and over 50 additional anomalies.