Health Status of se 2009 by ps94506


									     Reachability on the Internet
Health Status of .se 2009
                                                    Reachability on the Internet
                                                    Health Status of .SE 2009


                 1      Introduction ......................................... 3
                        1.1    This document ............................................................................... 3
                        1.2    Abbreviations and glossary............................................................ 3

                 2      Summary ............................................. 5
                 3      About the study.................................... 7
                 4      About the DNSCheck test tool ............ 10
                 5      Quality DNS service ........................... 11
                        5.1    What do we mean by “quality of the DNS service”? ......................11

                 6      Tests performed in 2009 ..................... 12
                        6.1    Test subjects ................................................................................12

                 7      Observations for 2009 ........................ 13
                        7.1    Test of DNS – errors and warnings ...............................................13
                        7.2    The most common errors ..............................................................14
                        7.3    Comparison over time – errors and warnings ................................16
                        7.4    Name servers’ connections to the Internet ....................................18
                        7.5    Name servers with IPv6 ................................................................20
                        7.6    Name servers with recursion activated ..........................................22
                        7.7    Use of DNSSEC ............................................................................23

                 8      Important parameters for e-mail ......... 26
                        8.1    Support for transport security (TLS) ..............................................26
                        8.2    Location of e-mail servers ............................................................28
                        8.3    Action against spam .....................................................................30

                 9      Key parameters for web servers ......... 33
                        9.1    Connection of web servers ...........................................................33
                        9.2    Software for web servers ..............................................................33
                        9.3    Support for transport security .......................................................34

                 10 Comparison with the .se zone as a whole 38
                 11 Advice and recommendations ............ 41
                        Development project – OpenDNSSEC ....................................................47

                                                       Page 2 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      1          Introduction
      1.1        This document
                 This document is a report from a study performed by .SE in 2009 for the third consecutive
                 year. The purpose of the study is to analyze the quality and reachability of the domain name
                 system (DNS) in the .se zone and a number of other key functions of domains registered in
                 .se. This year’s study is largely, though not completely, a follow-up of similar studies
                 conducted in 2007 and 2008. For the first time, we also have sufficient material to compare
                 the results of these studies over a longer period of time.
                 This report is primarily aimed at IT strategists and IT managers, but is naturally also
                 intended for persons responsible for the operation and management of an organization’s IT
                 and information systems. The document is also intended to be suitable for reading by
                 individuals with an advanced interest in technology.
                 More information about the content of the report is available from Anne-Marie Eklund
                 Löwinder, Head of Quality and Security at .SE. Her e-mail address is anne-marie.eklund-

      1.2        Abbreviations and glossary
                        Child zone              The underlying zone – for example, is the child zone
                                                of the parent zone .se.
                        BCP                     Best Common Practice.
                        DKIM                    Domain Keys Identified Mail. DKIM makes it possible for e-mail
                                                servers to send and receive electronically signed e-mail.
                        DNS                     Domain Name System. An international, hierarchically designed,
                                                distributed database that is used to find information about
                                                allocated domain names on the Internet. The domain name system
                                                is the system that translates domain names (for example, to
                                                IP addresses used for communication over IP networks (for
                                                example, the Internet).
                        DNS data                Information stored with a registry that states which name servers
                                                are to respond to requests for a certain domain.
                        DNSSEC                  Secure DNS. DNSSEC is an internationally standardized expansion
                                                of DNS that ensures more secure domain name lookups and
                                                reduces the risk of manipulation of information and forgery of
                                                domain names. DNSSEC’s fundamental mechanism is
                                                cryptographic technology that uses digital signatures.
                        DNS server              See Name server.
                        Domain                  The name of a level in the domain name system.
                        Domain name             A unique name, comprising parts of a name, in which a domain at
                                                a lower level in the domain name system comes before a higher
                                                level domain. A registered domain name is a domain name that is
                                                held by a certain registrant after allocation.
                        Parent zone             The overlying zone – for example, .se is the parent zone of
                                       See also Child zone.

                                                       Page 3 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                        IP address              Numerical address that is allocated to each computer that will be
                                                reachable over the Internet.
                        Name server             A computer with programs that store and/or distribute zones, and
                                                that receives and responds to domain-name requests.
                        Name server
                        operator                An operator that provides a DNS function to Internet users.
                        Resolver                The software that translates names to IP addresses and vice versa.
                        SOA                     Start of Authority. A pointer on where information about a zone
                        TLS/SSL                 SSL (Secure Sockets Layer) is a standard for encrypting
                                                communications over networks such as the Internet.
                                                Communications using HTTP over SSL are known as HTTPS. Now
                                                replaced by the IETF’s (Internet Engineering Task Force) open
                                                standard TLS (Transport Layer Security).
                        Zone                    Delimitation of the administrative responsibility for the domain
                                                name tree. A zone comprises a cohesive part of the domain name
                                                tree that is administered by an organization and stored on its
                                                name servers.
                        Zone file               A data file with the information required about a zone so that it is
                                                possible to use addressing with DNS.

                                                       Page 4 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      2          Summary
                 The considerable interest shown in the results of the 2008 study convinced us at .SE (the
                 Internet Infrastructure Foundation) to continue conducting the study in 2009 for the third
                 consecutive year. This study is part of a long-term project known as Health Status, which is
                 still under development.
                 The objective in publishing the results of these studies once a year is to draw attention to
                 the problems and deficiencies of some domains in the .se zone. Conducting the study in
                 several consecutive years also allows emerging trends to be observed and enables .SE to
                 determine whether the effects of its advice and recommendations can be traced and whether
                 any measures have been implemented by the organizations studied.
                 The study conducted in 2007 confirmed .SE’s hypothesis that knowledge of what is
                 required to maintain a high level of quality in the domain name system (DNS), for example,
                 is generally deficient, although the interpretation of what constitutes “high quality” can of
                 course be discussed. In this case, we have used our own definition of “high quality,” but
                 have based this definition on recommendations from international Best Common Practice. In
                 addition, there is reason to believe that these knowledge deficiencies also apply to
                 competencies in both operations and operational responsibility.
                 Like the study conducted in 2008, this year’s study primarily investigated DNS quality.
                 However, as in previous years, we also opted to study some other key parameters, such as e-
                 mail and web servers. This year’s study also included a more in-depth analysis of the use of
                 IPv6. The study was performed in October 2009.
                 The tests encompassed a total of 663 domains distributed among 867 unique name servers,
                 or 1,870 name servers. In this context, “unique” refers to servers with unique IP addresses.
                 A name server with an operator can house several domains.
                 Although we have endeavored to keep to approximately the same test group as in the 2008
                 study, certain changes have occurred, which means that the studies conducted over the years
                 are not entirely comparable. For example, 671 domains were investigated in 2008,
                 compared with 663 in 2009. One of the main reasons for the lower number of domains is
                 that changes have occurred among a number of government authorities, including closures,
                 mergers and new additions. Another change is that this year’s study included the 30 largest
                 listed companies on OMX, as well as new universities and colleges. Moreover, in this year’s
                 study, a domain name may be included in several categories, although only once in the
                 entire group. This means that the total number of domains in the various categories is 671,
                 meaning that there are eight duplicates. Most of these duplicates are domains that are
                 included in the category OMX30 and another category.
                 One change to the 2009 study is that we have further developed the user interface for the
                 test tool to make it easier to examine and compare the results from various categories. In
                 this year’s study, we not only conducted automated tests on a predetermined number of .se
                 domains, but also performed the same tests on a control group comprising 10,000 randomly
                 selected domains from the entire .se zone. As in previous years, we also conducted certain
                 supplementary studies, primarily in the areas of security and web servers.
                 Section 3 outlines our reasons for conducting the study and provides an overview of the
                 control points studied. Section 4 provides more detailed information about the DNSCheck
                 test tool and section 5 provides our definition of “Quality DNS service.” Sections 6 to 10
                 examine the results of the study and section 11 provides a summary of .SE’s advice and
                                                       Page 5 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 Of the 663 domains included in the test group, 23 percent had serious errors that should be
                 corrected immediately and 34 percent had errors of a nature that generated a warning.
                 Accordingly, our observations indicate that improvements are being made in certain areas.
                 Despite deficiencies, the total percentage of serious errors and warnings has declined
                 somewhat over the three years in which the study has been performed.

                                                       Page 6 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      3          About the study
                 Since its foundation, .SE, which has been responsible for the operation and administration of
                 all name servers for .se domains since 1997, has amassed solid experience with regard to the
                 domain name system (DNS). Best Common Practice for the DNS has gradually emerged
                 from the organization’s own and other parties’ mistakes and experiences, and this practice
                 can also be applied to environments other than only top-level domains. The DNS is
                 somewhat of an unknown system that has existed for more than 25 years. Throughout the
                 years, the DNS has proven to offer exceptional scalability and robust design. Essentially no
                 changes have been required in the basic protocols, despite the enormous growth of the
                 Internet. However, the DNS has become increasingly important to the existence of a
                 functioning communication between Internet users worldwide, and this requires that all
                 areas of the DNS maintain a high level of quality.
                 .SE’s launch of the DNSSEC service for more secure DNS has also contributed to a greater
                 focus on DNS and DNS operation. Companies wishing to make their DNS infrastructure
                 more secure by using DNSSEC realize relatively quickly that they cannot introduce the
                 mechanism until they first review their own DNS infrastructure as a whole.
                 For this reason, we are interested in finding out how well prepared domains in .se are for
                 DNSSEC. This – as well as the fact that we are responsible for the Swedish top-level domain
                 – is the reason why our tests focused on the quality of DNS.
                 For computers and other equipment to be able to communicate with one another over the
                 Internet, they must use a shared communication architecture. This means that they must
                 use the same structure rules for communication, or the same protocol. The shared
                 communication architecture is based on Internet Protocol (IP). The Internet is now
                 dominated by IPv4 (IP version 4), created back in 1981.
                 The IP addresses, that is, the unique number series that identify each unit connected to the
                 Internet, are 32-bit numbers. That means that for IPv4, there can only be slightly more
                 than four billion unique IP addresses. As more and more people worldwide gain access to
                 Internet connections, we are approaching a point when there will be a shortage of Internet
                 addresses. According to various forecasts, this problem is expected to reach critical status
                 sometime between 2010 and 2011.
                 The solution for this shortage of addresses is to introduce a new version of the IP protocol,
                 IPv6, with 128-bit addresses. With IPv6, there will be enough addresses for the foreseeable
                 future. A rich supply of IP addresses will also facilitate access to applications that would
                 otherwise be difficult to realize in practice, such as intelligent homes in which all
                 technological equipment is linked with a single specific IP address.
                 Some forecasts predict that the addresses will run out and the transition to IPv6 will
                 become necessary before there is time to develop the protocol. This is one of the reasons that
                 this year’s study took a closer look at the current distribution of IPv6.
                 .SE is also interested in investigating how organizations manage other aspects of their
                 communications, primarily with respect to transport security for e-mail and web-server
                 traffic. According to its charter, the purpose of the Foundation shall be “to promote positive
                 stability in Internet infrastructure in Sweden and to promote research, training and education in data
                 and telecommunication, with a specific focus on the Internet.

                                                       Page 7 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 By so doing, the Foundation must assign priority areas that increase the efficiency of the infrastructure
                 for electronic data communication, whereby the Foundation, inter alia, shall disseminate information
                 concerning R&D efforts, initiate and implement R&D projects and implement high-quality inquiries.”
                 Secure Internet infrastructure is a key area for us.

                                                       Page 8 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 In this year’s study, we gathered facts for the following control points:

                 •   How does the organization manage its own DNS? Who is responsible for DNS for the
                     organization, what is its structure (in relation to what can be considered to be industry
                     standard or Best Common Practice, BCP), what are the most serious deficiencies and in
                     what categories do they most commonly occur?

                 •   How does the organization manage its e-mail? Are the servers located in or outside
                     Sweden, is TLS/SSL (transport security) accepted, how widespread is the use of SPF or
                     DKIM (technology for reducing the amount of spam)?

                 •   How does the organization connect its web server to the Internet? Where are the servers
                     located, which server software is used, and does the organization use web certificates,
                     meaning does it have support for TLS/SSL (transport security)? How are server
                     certificates obtained?
                 The domains and name servers of a large number of important organizations in society were
                 tested: public service and state-owned companies; listed companies; banks and finance
                 companies; Internet service providers; municipalities; county councils; media companies;
                 government authorities, including county administrative boards; and universities and
                 colleges, a total of 663 domains.
                 The data-collection process was fully automated and included testing for the most
                 commonly occurring errors and errors we associate with DNS operation, e-mail and web-
                 server management.
                 With these tests, we investigated how well the organizations’ systems function in different
                 contexts, the areas in which the most serious errors arise and the possible consequences. This
                 year, we also had a better opportunity to compare the results with previous studies, since we
                 now have access to the results from two earlier years, enabling us to draw conclusions on
                 developments in the area.
                 We have also linked recommendations to this information on what we would like the DNS
                 infrastructure to be like in more general terms. Finally, we have provided some guidelines
                 and recommendations containing proposals to the responsible authorities that we consider
                 to be suitable parties with which to pursue the study in greater detail. These questions are
                 essentially the same as in the preceding year’s study, since we have not been able to verify
                 that any radical changes have occurred in this context. However, we would ideally like to
                 see authorities with decision-making powers accept these proposals and take appropriate
                 This study is part of .SE’s investment in an area known as Health Status. The objective of
                 this investment area is to monitor the quality of the Internet’s infrastructure in Sweden. .SE
                 aims to contribute to ensuring that the infrastructure has effective functionality and high
                 availability. When necessary, .SE also draws attention to deficiencies and anomalies. The
                 goal for 2009 has been to firmly establish the investment area, and .SE has implemented
                 continuous improvements with regard to methodology support and areas of investigation.
                 The Health Status Project is financed by .SE and run by Project Manager Patrik Wallström.
                 The results of this year’s study were analyzed and the report compiled by Anne-Marie
                 Eklund Löwinder, Head of Quality and Security at .SE. The programming and practical
                 implementation of the tests was performed on behalf of .SE by Calle Dybedahl, Consultant
                 at Init. Investigations pertaining to server certificates and web servers were performed by
                 Robert Malmgren, Romab. The examination of the statistical analysis was performed by
                 Anders Örtengren, Mistat AB.
                                                       Page 9 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      4          About the DNSCheck test tool
                 We used the software for .SE’s DNSCheck service as the engine for carrying out the study.
                 DNSCheck is a program designed to help people control, measure and, it is hoped, better
                 understand how the domain name system functions. When a domain (also known as a zone)
                 is sent to DNSCheck, the program investigates the health status of the domain by analyzing
                 the DNS from its root (.) via the TLD (top-level domain – for example, .se) up to the name
                 servers containing information about the specified domain (for example, DNSCheck
                 also performs a number of other tests, such as controlling DNSSEC signatures, checking
                 that the various host computers are accessible and that the IP addresses are valid.
                 The tool is available for use at
                 We have redesigned the framework for this year’s study to enable us to perform
                 supplementary tests and save historical data from earlier test runs so that it is easily
                 accessible for comparisons. New tests were performed, for example, to measure the existence
                 of IPv6 and the use of SPF and DKIM to manage spam. A separate test engine was designed
                 to test various parameters for web servers.
                 To facilitate comparisons, we have also designed an internal web interface to enable us to
                 monitor, compile and analyze the results for all domains included, or for individual
                 categories and domains, in a manner that would have been more difficult using the previous

                                                       Page 10 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      5          Quality DNS service
                 The domain name system is one of the cornerstones of the Internet and is designed to
                 simplify the process of addressing resources on the Internet. Every connected unit has its
                 own IP address that, with the help of the DNS, can be linked to an address in a form that is
                 easier for us to handle as people. In other words, the DNS enables users to enter a web
                 address, for example, in text format instead of using the IP address (which would also work
                 provided that you remember it). Our definition of quality in the DNS service presented in
                 section 5.1 below has not changed for this study.
                 It is important that an organization’s own DNS infrastructure complies with the current
                 standards and that it is designed in such a manner that it provides a robust service with a
                 high level of reachability, regardless of whether the organization operates the DNS itself or
                 has outsourced operation to a partner.
                 Our starting point for the project is a definition of what is considered to be a good DNS
                 infrastructure, an industry standard based on experience or Best Common Practice (BCP).
                 The study conducted in 2008 led to the conclusion that knowledge of what is required to
                 maintain a high level of quality in the domain name system (DNS), for example, was
                 deficient, although the interpretation of what constitutes “high quality” can of course be
                 discussed. There is reason to believe that these knowledge deficiencies probably also apply
                 to operations and operational responsibility. However, the fact that some of the most serious
                 errors continue to recur relatively frequently indicates that the situation has hardly
                 improved since earlier studies. However, the total percentage of serious errors and warnings
                 has declined somewhat over the three years in which the study has been performed.

      5.1        What do we mean by “quality of the DNS service”?
                 In brief, a high-quality DNS service entails the following:

                 •   the organization has a robust DNS infrastructure with a high level of reachability,

                 •   all name servers involved respond to queries correctly,

                 •   domains and servers are correctly set up,

                 •   data in the domain name system about individual domains is correct and authentic,

                 •   the organization meets the requirements imposed by the relevant Internet standards and
                     other standards.
                 In Appendix 1, we have described the key measures that must be implemented to create an
                 overall high-quality DNS infrastructure.

                                                       Page 11 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      6          Tests performed in 2009
                 The tests performed in 2009 included the configuration of domains and the name servers
                 that respond to queries about the domain. We also tested some of what we consider to be
                 the most important parameters for e-mail and web servers. The tests made use of software
                 that automatically checks the various control points stated in the industry standard for all
                 domains included in the study, as a whole and per category. In addition, the software was
                 supplemented with questions regarding such areas as e-mail and web-server management. A
                 separate study was also performed to more closely examine various issues related to
                 providing more secure web services.

      6.1        Test subjects
                 Tests were performed on a total of 663 domains and 867 unique name servers. The test
                 subjects were grouped into the following categories:

                 •   Public service and state-owned companies (40)

                 •   Banks and insurance companies (21)

                 •   Internet service providers (ISPs) (15)

                 •   Municipalities (290)

                 •   County councils (21)

                 •   Media companies (24)

                 •   Government authorities, including county administrative boards (excluding authorities
                     under the Swedish Parliament) (231)

                 •   OMX-listed companies (30)

                 •   Universities and colleges (33)
                 Eight domains were duplicates, meaning that they were included in more than one
                 category. Of the domains tested, 23 percent had had serious errors that should be corrected
                 immediately and 34 percent had errors of a nature that generated a warning.

                 WORTH KNOWING
                 Error: Anything marked as an error in the study should be corrected immediately so that
                 the organization can be assured of a high level of availability and reachability in the DNS
                 and other resources.
                 Warnings: Warnings are also errors that may affect operation, but immediate action is not
                 deemed to be as urgent, although corrective measures would naturally enhance quality.

                                                       Page 12 of 47
                                                   Reachability on the Internet
                                                   Health Status of .SE 2009


      7          Observations for 2009
      7.1        Test of DNS – errors and warnings
                 The following graph shows the distribution between errors and warnings among the various
                 categories included in the study:
                 Graph 1: Errors and warnings


                           County councils
                       Banks and insurance                                   29
                       insurance                        14
                    State-owned companies
                   Universities and colleges
                                               0              20                        40                 60    80     100

                                                                                             Errors   Warnings

                 The above graph shows the percentage of errors and warnings for the entire test group (All)
                 and for each individual category. The bars of the graph should be read so that, of the 663
                 organizations included in the study, 23 percent had serious errors and 34 percent had errors
                 of a nature that generated a warning. Of the 21 county councils studied, one third (33
                 percent) had serious errors and one third (33 percent) had errors of a nature that generated a
                 warning, etc.
                 The graph shows that the situation for the test group as a whole has improved since 2008.
                 A comparison of the various categories shows that the situation is much better among
                 universities and colleges and service providers than among the other categories, a factor that
                 may have contributed to the improvement of the overall result. Naturally, organizations in
                 these categories can also be expected to have the strongest knowledge and competence in
                 this area.
                 The graph also indicates that county councils remain the group with the largest number of
                 errors in terms of percentages. In this group, nearly 33 percent of all name servers were
                 impaired with some form of error that could be seen as serious. This is the same result as in
                 2008. In the newly added group OMX30, 30 percent of the companies tested had serious
                                                       Page 13 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 errors, followed by banks and insurance companies at 29 percent. Accordingly, we have
                 reason to fear that the availability of information and services in companies in these
                 categories is worse than it should be.

      7.2        The most common errors
                 Among the domains and name servers tested, the most common errors were:

                 •   The name server did not respond to orders via the TCP (Transmission Control Protocol).
                     The reason is likely that the DNS server was not correctly set up or the firewall was
                     incorrectly configured. It is a fairly common misconception that the DNS does not need
                     to be able to communicate according to the TCP protocol (if it does not provide zone
                     transmissions). However, TCP is usually a requirement, and the trend is that the need
                     for TCP is increasing as new protocols mean that it is used more extensively than it was
                     in the past. This error indicates that the person who configured the name server has
                     insufficient knowledge of the DNS.

                 •   The organization has an inconsistent name server structure (NS). The name servers
                     listed with NS entries in a child zone are different to the information found in the DNS
                     in the parent zone and, accordingly, the name servers cannot assume authoritative and
                     proper responsibility for the domain. If the information is not consistent, the
                     availability of the domain is negatively affected and indicates deficiencies in the internal
                     DNS management. Some examples of such inconsistencies are provided below:
                          The IP address of a DNS server in the child zone is not the same as in the parent
                          zone in the level above. This is a configuration error and should be corrected as soon
                          as possible. The administrator for the domain has probably forgotten to make an
                          update after a change took place.
                          A DNS server is listed in the parent zone but not in the child zone. This is probably
                          an administrative error. The parent zone must be updated as soon as possible so that
                          it lists the same DNS servers as those listed in the child zone. The consequence of
                          such an error is that the redundancy that someone has tried to create essentially does
                          not exist.

                 •   The DNS server did not respond to orders via UDP (User Datagram Protocol). The
                     reason is likely that the DNS server was not correctly set up or the firewall was
                     incorrectly configured. A name server that responds to neither TCP nor UDP is
                     probably not reachable at all, and so the error may be found elsewhere, for example in
                     connection with the name server, or the server may not have a correctly stated IP

                 •   Only one DNS server is found for the domain. There should always be at least two DNS
                     servers for one domain so that temporary problems with connections can be handled. If
                     one of the servers or the connection to it were to stop functioning, services directed from
                     the name server would also be rendered unavailable.

                 •   The DNS server is recursive. The DNS server responds to recursive orders from third
                     parties (as in DNSCheck). Using recursive orders to a DNS server open for recursion, an
                     attacker can make the DNS server look up and save in its memory information found in
                     zones controlled by the attacker (see section 6.7). Accordingly, the DNS server may be
                     forced to send orders to the attacker’s false DNS servers, which results in the DNS
                     server under attack caching and presenting false data.
                                                       Page 14 of 47
                                                   Reachability on the Internet
                                                   Health Status of .SE 2009


                 •    The SOA serial number is not the same in all DNS servers. This is usually due to an
                      incorrect configuration, but is sometimes due to slow dissemination of the zone to
                      secondary DNS servers. This means that users looking for resources under a domain may
                      receive different responses depending on which name server receives the request.

                 Naturally, there is a difference between whether a domain has one error or several errors
                 which also often interact. Accordingly, as we did last year, we have also examined the
                 distribution of the number of errors in terms of quantity and among the different categories.

                 Graph 2: Distribution of number of errors per category as a percentage

                                        All                                         77                                        7            9          7

                                        ISP                                                  87                                                  13

                 Universities and colleges                                                  85                                              9         3 3
                     State-owned companies                                          79                                        3            13          5

                                     Media                                          79                                        4             13            4
                      Government authorities                                        78                                            8         7         7

                             Municipalities                                       75                                      7           8           10
              Banks and insurance companies                                    71                                    10                    14          5

                                    OMX30                                    70                                  3            17                  10
                             County councils                              66                                 5                        29

                                               0              20                       40             60                  80                               100

                                                                         0               1        2    3 or more defects

                 As we might have expected, Internet Service Providers and Universities and colleges had the
                 lowest percentage of errors. We can also expect that these categories have the greatest
                 knowledge and competence of DNS and experience with its operation and administration.
                 As in the past, the County councils category continued to have a relatively high percentage
                 of errors, at 33 percent. Companies in the year’s new OMX 30 category also had many
                 errors, at 30 percent. Also, in this category, 10 percent had three or more errors.

                                                       Page 15 of 47
                                                   Reachability on the Internet
                                                   Health Status of .SE 2009


                 We also investigated the corresponding distribution of the number of warnings in terms of
                 quantity and in each category. The results are shown in the graph below.

                 Graph 3: Distribution of the number of warnings per category as a percentage

                                   All                              52                                   15                 8                       25

              Banks and insurance companies                                   67                                            10        10                      13

                             County councils                             57                                   10                14                       19

                     Government authorities                             54                                    15                7                   24

                     State-owned companies                              54                                             26                      10              10
                             Municipalities                        49                               14                 10                       27

                                    OMX30                          48                           14                 3                      35

                                         ISP                  40                               27                               13                       20

                                     Media                   38                         8                25                                    29

                   Universities and colleges                36                                 36                               3                   25

                                               0              20                   40                     60                         80                             100

                                                          0 warnings          1 warning     2 warnings                 3 or more warnings

                 The Universities and colleges category had the most warnings. Our assessment is that the
                 main reason is administrative deficiencies, such as that the e-mail addresses stated in the
                 DNS do not work. Generally, warnings were also much more common than errors. Both
                 have a negative impact on availability.

      7.3        Comparison over time – errors and warnings
                 Because we saved the raw data from previous studies, this year we had the opportunity to
                 compare this year’s results with those of the previous studies for the categories that were
                 included in the studies for all three years. Naturally, for the categories included this year for
                 the first time, we can only show results for 2009, meaning that only one red bar is shown.

                                                       Page 16 of 47
                                                   Reachability on the Internet
                                                   Health Status of .SE 2009


                 In the following graph, we compare the number of errors over time, from 2007 to 2009.

                 Graph 4: Number of errors over time

                                      All                           25

                           County councils                                        33
             Banks and insurance companies                        23
                            Municipalities                                 28
                    Government authorities                       22
                                    Media                17
                     State-owned companies                                 27
                   Universities and colleges
                                       ISP               17
                                               0            20                          40                60     80   100

                                                                                            2007   2008   2009

                 The graph indicates that the general situation has improved compared with the first study.
                 However, virtually no changes have occurred since 2008 for the categories County councils
                 and Government authorities. The situation is somewhat worse for Media and for Banks and
                 insurance companies, while it has improved for Internet Service Providers; Municipalities;
                 and State-owned companies.

                                                       Page 17 of 47
                                                   Reachability on the Internet
                                                   Health Status of .SE 2009


                 Graph 5: Number of warnings over time

                                       All                                                    50

                           County councils                                                     52
             Banks and insurance companies                                   36
                           Municipalities                                                                    62
                    Government authorities                                             42
                                    Media                                                               57
                    State-owned companies                                                     51
                   Universities and colleges
                                       ISP                                        39
                                               0           20                   40                      60                   80   100
                                                                                2007        2008        2009

                 Looking at the overall situation, warnings declined significantly between 2007 and 2009.
                 The only exception is the Media category, which has remained essentially unchanged from
                 year to year, and the Internet Service Providers (ISP) category, in which more than half of
                 the organizations had warnings in 2009, up from 39 percent in 2008.

      7.4        Name servers’ connections to the Internet
                 This year, as in previous years, we took a closer look at which service providers the name
                 servers for the various organizations used for their Internet connections. The following
                 graph does not show which service provider operated the name servers for the domains;
                 instead, it only shows which service provider the name server used for its Internet

                                                       Page 18 of 47
                                                      Reachability on the Internet
                                                      Health Status of .SE 2009


                 Graph 6: Allocation of ISPs – name servers’ Internet

                 2007            22                  10           9           8      7                                44

                 2008                 27                     12              10          9             7                       35

                 2009                      33                           17                   12              12       9             17

                        0                       20                    40                          60                      80             100

                                                     Telia        TDC        SUNET           Tele2         Telenor   Other

                 We can state that a certain spread continues to exist among service providers in terms of
                 name server connections if one examines the total number of domains. However, the
                 percentage for “Other” declined significantly, from 44 percent in 2007 to 17 percent in
                 2009. Generally, an increase occurred among the largest service providers, and Telia in
                 particular appeared to increase its market domination. In 2009, Telia increased its market
                 share to 33 percent, compared with 27 percent in 2008.
                 The changes compared with 2008 are evident. However, nearly 70 percent of the domains
                 investigated had all of their name servers with a single service provider. Opinions are
                 divided as to whether or not this is a problem, but the fact remains that when the service
                 provider experiences problems with availability, the domain with the underlying services
                 also risks encountering problems.
                 For this reason, we decided to take a closer look at the extent to which those organizations
                 with more than one name server had their servers located with a single service provider.

                                                       Page 19 of 47
                                                  Reachability on the Internet
                                                  Health Status of .SE 2009


                 Graph 7: Domains with name servers in more than one AS (Autonomous System)

                                      All                                 35

                                   OMX30                                                                79

                                    Media                                                         71

                  Universities and colleges                                             48

             Banks and insurance companies                                              48

                                       ISP                                         40

                    Government authorities                               34

                    State-owned companies                                33

                            Municipalities                          29
                            County councils

                                              0         20                    40             60        80           100

                 Using the graph, we can conclude that a relatively high number of organizations have their
                 name servers with a single service provider.
                 Accordingly, at first glance, the task of server operation may appear to be well-distributed
                 among service providers, but at the same time, it appears that a single service provider may
                 dominate in certain categories. In the worst case, the consequence is that an entire sector
                 may be affected if the dominating service provider encounters problems. This means that a
                 more detailed investigation of this issue may be desirable.

      7.5        Name servers with IPv6
                 Today’s Internet is dominated by IPv4 (IP version 4), which was developed as early as 1981.
                 IP addresses, the unique series of numbers that identify each connected unit on the Internet,
                 comprise 32 bits. Accordingly, with IPv4, only a total of slightly more than four billion
                 unique IP addresses can exist. As the world becomes more connected, the consequence will
                 simply be a lack of addresses on the Internet. This problem is expected to become serious in
                 The solution to the problem of a lack of addresses is to implement a new version of the
                 protocol, IPv6, with 128-bit addresses. There is no doubt at all that these IP addresses will
                 be sufficient and will remain so for a long time after the transition to IPv6 has been carried
                 out. With IPv6, IP addresses will be 128 bits long instead of 32, meaning that the total
                 number of possible addresses will be almost unlimited.
                 With IPv4, not even one IP address is available for every person in the world. With IPv6,
                 every living individual could each have 5 x 1028 IP addresses. This means that each of us
                 could have 50,000,000,000,000,000,000,000,000,000 of our own IP addresses at our

                                                       Page 20 of 47
                                                              Reachability on the Internet
                                                              Health Status of .SE 2009


                 disposal. An ample supply of IP addresses would also open the way for applications that
                 would otherwise be difficult to implement in practice.
                 In 2009, we have seen a certain increase in activity related to IPv6, although it remains
                 highly limited. The graph below shows the categories in which IPv6 has begun to be used
                 on name servers. Generally, the increase since 2008 was very minor, but Universities and
                 colleges, service providers and Government authorities are the categories in which the most
                 progress has been made in the transition to IPv6.

                 Graph 8: Use of IPv6 on name servers

                                       All                    9

                  Universities and colleges                                                       61

                                       ISP                                    27

                   Government authorities                            18

                           County councils                5

                                    Media             4

                            Municipalities            3

                    State-owned companies             3

                                  OMX30               3
             Banks and insurance companies

                                              0                     20                  40   60        80           100

                 A total of 9 percent of the domains investigated had a name server that was available via
                 The lack of addresses will soon become urgent, and some believe that the number of months
                 remaining until the addresses run out is lower than the number of years it took to develop
                 the protocol. This means that it is high time to begin the transition to IPv6. Such a
                 transition is the only way to guarantee that the structure of the Internet remains stable in
                 the future. .SE is taking an active role to facilitate collaboration and coordination related to
                 the transition. Accordingly, we have launched a website for continuous reporting on IPv6
                 activities in Sweden, at

                                                       Page 21 of 47
                                                      Reachability on the Internet
                                                      Health Status of .SE 2009


      7.6        Name servers with recursion activated
                 Open recursive name servers have very few legitimate fields of application. In fact, such
                 servers may come to be used in conjunction with Denial of Service attacks. Accordingly, we
                 strongly recommend eliminating the possibility of abusing open recursive resolvers by using
                 the methods described in the references stated in Appendix 2.
                 However, open recursive name servers remain relatively common despite the risks they pose.
                 They are most common in the Municipalities category and the Media category, as shown in
                 the graph below.

                 Graph 9: Open recursive name servers per category

                                       All                           22

                                    Media                                             42

                            Municipalities                                 31

                    State-owned companies

                  Universities and colleges                          21

                    Government authorities                 15

                          County councils                  14

                                  OMX30               10

                                       ISP        7

             Banks and insurance companies 0

                                              0                 20               40        60          80             100

                 Between 2007 and 2008, the percentage of name servers with recursion activated declined
                 noticeably, from 40 percent to 22 percent. Unfortunately, development on this point
                 appears to have stagnated, and in 2009, the number of name servers with recursion
                 activated remained the same as in 2008.

                                                       Page 22 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 Graph 10: Name servers with recursion activated, 2007-2009

                 2007                             57                                            40                   3

                 2008                                         78                                            22

                 2009                                         78                                            22

                        0                 20                   40                60                  80               100

                                                           Closed      Open     No response

                 In other words, no progress was made in this area between 2008 and 2009, although we
                 could have expected some change not least in the wake of what was known as the Kaminsky
                 bug, which created shockwaves throughout the world (see section 7.7).

                 WORTH KNOWING
                 A recursive name server not only responds to queries about DNS entries for which it itself
                 is responsible, but also goes further and asks other name servers to respond to queries.
                 Queries can be both labor-intensive (meaning that they utilize extensive computer capacity)
                 and result in a relatively large amount of data, which means that organizations normally
                 want to limit the number of persons permitted to use the recursion function.
                 An open recursive name server responds to all queries it receives for which recursion has
                 been requested. This makes it possible for external parties to launch Denial of Service
                 attacks, for example, via the open name server by allowing these parties to submit queries
                 that will result in unusually large responses (Amplification Attacks). Combined with a false
                 sender address that leads to the response being sent somewhere else, this comprises a Denial
                 of Service attack.

      7.7        Use of DNSSEC
                 DNSSEC stands for DNS Security Extensions and is an expansion of DNS that ensures safer
                 Internet address look-ups for web and e-mail servers, for example. The rising importance of
                 DNS has made DNSSEC increasingly relevant. Many Internet protocols are dependent on
                                                       Page 23 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 DNS, but the DNS information in the resolvers has become so vulnerable to attacks that it
                 is no longer reliable. The greater security provided by DNSSEC means that such attacks no
                 longer have an effect.
                 In 2008, researcher Dan Kaminsky made secure DNS a major item on the Internet world’s
                 agenda, and .SE thus achieved an international breakthrough for its work with more secure
                 DNS lookups. In addition, as early as autumn 2005, .SE was the world’s first national top-
                 level domain to sign its zone with DNSSEC. In 2007, it was also the first to offer a
                 commercial DNSSEC service to its domain holders or registrants.
                 In contrast to the traditional domain name system (DNS), DNSSEC look-ups have a
                 cryptographic signature, which makes it possible to ensure that these look-ups come from
                 the right user and that the content is not changed during transmission. The aim of the
                 service is to ensure that domain registrants can secure their domains using DNSSEC.

                 DNSSEC is used to secure DNS from abuse and man-in-the-middle attacks including cache
                 poisoning. For several years, .SE has been a driving force for the implementation and spread
                 of DNSSEC.
                 In 2008, interest in the technology gained significant momentum. .SE caught the attention
                 of the entire Internet world by being at the leading edge of this area and being willing to
                 share its experiences. This was evident in the high level of interest we attracted in relation
                 to an international DNSSEC seminar arranged in October 2008 which attracted 150
                 participants, including from 20 top-level domains around the world.
                 The purpose of DNSSEC is to safeguard the content of the DNS using cryptographic
                 methods that use electronic signatures. DNSSEC allows the user to determine whether the
                 information returned from a look-up in the DNS comes from the correct source or whether
                 it has been manipulated en route. Thus, it is difficult to forge information in a DNS that is
                 signed with DNSSEC without it being detected.
                 DNSSEC is the only long-term protection that can be used against what is known as the
                 Kaminsky bug. During the year, .SE provided information on vulnerabilities in DNS on a
                 special website at The site allows users to carry out such
                 tasks as testing whether the resolver they are using is susceptible to the Kaminsky bug and
                 whether DNSSEC is being used for a given domain.
                 For ordinary users, DNSSEC means that the risk of being defrauded is reduced, for example,
                 when conducting bank transactions or shopping on the Internet, since it is easier for the
                 user to determine whether he or she is really connected to the correct bank or store rather
                 than to an impostor.

                                                       Page 24 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 However, it is important to note that DNSSEC does not stop all types of fraudulent
                 activity. It is only designed to prevent attacks in which attackers manipulate responses to
                 DNS queries for their own gain.
                 There remain a number of other security issues and problems on the Internet that DNSSEC
                 cannot solve, including Distributed Denial of Service (DDOS) attacks.
                 DNSSEC provides some protection against phishing (websites that resemble or are identical
                 to genuine websites to trick users into revealing passwords and personal data) and pharming
                 (redirecting a DNS query to the wrong computer) and other similar attacks against the
                 DNS. DNSSEC does not prevent attacks at other levels, such as at the IP or network level.
      7.7.3      .SE’S ROLE IN DNSSEC
                 Pending the signing of a root, meaning the parent zone for .se, .SE’s role apart from signing
                 .SE’s zone file is to serve as a trust anchor in the chain for the Swedish part of the Internet. A
                 trust anchor signs the keys of the underlying zones and acts as the starting point in the
                 verification chain.
                 Signing means that .SE assumes responsibility for managing and verifying the DS entries’
                 underlying zones. This is comparable with the management of NS entries in the DNS.
                 Among the domains we studied in 2009, slightly less than three percent were signed with
                 DNSSEC. Municipalities, county councils and government authorities led the way in this
                 As a comparison, slightly less than 2,000 domains in the entire .SE domain have currently
                 introduced DNSSEC. This figure continues to rise, but not at the rate we consider desirable.
                 Globally, 12 top-level domains have been signed, and specific plans exist to sign the root.
                 The schedule indicates that this will be accomplished in mid-2010.
                 Further information about DNSSEC can be found in Appendix 3.
      7.7.5      OPENDNSSEC
                 After .SE noted that the lack of high-quality, accessible tools in the market for signing zone
                 files with DNSSEC was a barrier for many parties who wished to begin implementing
                 DNSSEC, a development project was launched in conjunction with some of the foremost
                 developers in the area. The result was OpenDNSSEC, which is a turnkey-ready program, or
                 a tool for facilitating the implementation and use of DNSSEC. OpenDNSSEC secures the
                 DNS information the moment before it is published on an authoritative name server.
                 OpenDNSSEC takes an unsigned zone file, adds signatures and other items for DNSSEC
                 and sends the file on to the authoritative name servers for the relevant zone. For further
                 information on OpenDNSSEC, see Appendix 3.

                                                       Page 25 of 47
                                                    Reachability on the Internet
                                                    Health Status of .SE 2009


      8          Important parameters for e-mail
      8.1        Support for transport security (TLS)
                 To ensure the secure exchange of information between e-mail servers, transport security
                 should be added to communication. Of the organizations investigated in 2009, slightly less
                 than half, or 45 percent had support for TLS/SSL in their email servers. This means that
                 many organizations are still not taking satisfactory action to protect their e-mail traffic from
                 being read by external parties, although the situation has improved. In practice, all software
                 now features built-in support for this purpose.

                 Graph 11: E-mail servers with support for TLS

                                       All                                            45

                                     Media                                                            67
               Banks and insurance companies

                                   OMX30                                                         59
                      State-owned companies

                            Municipalities                                            45

                      Government authorities                                     40

                    Universities and colleges                                39

                            County councils                                 38

                                       ISP                             33

                                                0       20                  40                  60         80   100

                                                       Page 26 of 47
                                                      Reachability on the Internet
                                                      Health Status of .SE 2009


                 The graph below indicates the trend for the past three years. It is evident that the
                 percentage of e-mail servers with support for TLS increased during the period.

                 Graph 12: E-mail servers with support for TLS, 2007-2009

                 2007                       40                                                        60

                 2008                  34                                                        66

                 2009                            45                                                        55

                        0                   20                      40                      60                  80   100

                                                                                     Yes   No

                 WORTH KNOWING
                 Transport Layer Security (TLS) is an open standard for the secure exchange of information.
                 TLS offers confidentiality (encryption) and correctness (data integrity), and also authenticity
                 protection (source protection) depending on use. The older version of the method is called
                 Secure Socket Layer (SSL).
                 The uses of TLS/SSL include the transmission of e-mail (Simple Mail Transfer Protocol or
                 SMTP) and the establishment of secure connections between web browsers and websites

                                                       Page 27 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      8.2        Location of e-mail servers
                 In 2009, the e-mail servers of 29 percent of the organizations investigated were located
                 outside Sweden. This is a higher figure than in 2008, but lower than in 2007.
                 The following graph shows the percentage of e-mail servers located in Sweden, divided by

                 Graph 13: Percentage of organizations with e-mail servers in Sweden

                                      All                                                      71

                          County councils                                                                             100

                 Universities and colleges                                                                  87

                   Government authorities                                                           76

                                      ISP                                                           76

                   State-owned companies                                                       70

                           Municipalities                                                      70

            Banks and insurance companies                                                 59

                                   Media                                             56

                                  OMX30                                         47

                                             0         20                 40          60             80            100

                 The main reason for locating servers outside Sweden probably remains the same, that is to
                 say that organizations engage third-party suppliers to handle the filtering of viruses and
                 spam. For the OMX30 category, the reason may also be that the companies are
                 multinational, with centralized IT operations located in countries other than Sweden.
                 When the e-mail servers of such organizations as government authorities and municipalities
                 are located outside Sweden, a consequence is that the e-mail communication of these public
                 administrations passes through a foreign country on its way to the recipient.

                                                       Page 28 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 Graph 14: Percentage of organizations with e-mail servers located in Sweden, 2007-

                 2007                           55                                            45

                 2008                                        77                                              23

                 2009                                   71                                              29

                        0                20                   40                   60              80             100

                                                                       In Sweden   Abroad

                 The graph shows that the percentage of e-mail servers located outside Sweden has increased
                 since 2008. The most common locations outside Sweden are primarily EU countries,
                 although some servers are located in the US and Canada.
                 In summary, we can state that it remains common for organizations to send their e-mail
                 outside Sweden for “washing.”
                 At the same time, we know that it continues to be the case that very few of the
                 organizations investigated use encryption for transport security of their e-mail. Only 45
                 percent of the domains investigated accept transport security using encryption for incoming
                 e-mail, although we are unable to say whether they use this function for outgoing e-mail
                 (section 8.1).
                 One of the goals of this part of the study was to show that there could be consequences for
                 e-mail sent from Swedish companies and organizations when Sweden begins applying the
                 regulations formulated in the highly controversial FRA law (law on signal surveillance),
                 recently passed by the Swedish Parliament. Having e-mail servers located abroad means de
                 facto that the information will pass Sweden’s borders and then return, which will make it
                 more or less impossible to determine whether it is Swedish traffic.
                 This also means that foreign intelligence services can eavesdrop on the traffic in the
                 equivalent manner. The location of servers outside Sweden means that all information passes
                 Sweden’s borders, which entails that foreign governments and others can very easily access
                 information that can be perceived as sensitive from various perspectives. It is impossible to
                 determine the level of awareness of this problem among those responsible for the
                 organizations and, if they are aware of the problem, whether they have carried out analyses
                 of the consequences.

                                                       Page 29 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 WORTH KNOWING
                 E-mail is most commonly transmitted in ordinary written text and is, accordingly, often
                 compared with postcards. A few years ago, a standard for transmitting e-mail with transport
                 security was introduced; it can most closely be compared with continuing to send postcards
                 but actually locking the “mail van” during transport. This means that anyone attempting to
                 read the e-mail en route between the post offices cannot see what is being sent. E-mail
                 transport security is often known as STARTTLS.
                 Additional protection is required if the sender wants to send an e-mail that no-one else can
                 read, not even those responsible for the e-mail system (or those who “work at the post
                 office”). In these cases, the entire letter can be encrypted by “gluing the envelope shut and
                 sending it by registered letter,” to make an analogy with the traditional postal service. The
                 two most common methods for this type of encryption are PGP and S/MIME.

      8.3        Action against spam
                 The standard protocol for sending e-mail, SMTP, makes it possible to send messages using
                 any domain as the sender address. Several different solutions exist aimed at limiting the
                 ability of spam to reach recipients by attempting to verify that the sender of the message is
                 Sender Policy Framework – SPF
                 SPF gives the domain registrant the option of publishing rules in the DNS that specify the
                 computer addresses from which e-mails from the domain are to originate. When a receiving
                 e-mail server receives a message, it checks this message against the SPF information in the
                 DNS according to the rules there. If the message comes from a sending server that is not
                 published in the rules, the receiving server interprets this as an indication that something is
                 Based on this information, the receiving server can determine the fate of the message, for
                 example, refuse to accept the message or sort it as spam. The SPF standard does
                 not define what will happen to messages that do not meet the SPF validation criteria.

                                                       Page 30 of 47
                                                  Reachability on the Internet
                                                  Health Status of .SE 2009


                 Graph 15: Use of SPF

                                       All                         26

                            County councils                                        52

            Banks and insurance companies                                     38

                  Universities and colleges                              33

                                   OMX30                                31

                    Government authorities                         26

                    State-owned companies                          26

                            Municipalities                         25

                                       ISP                    20

                                    Media           13

                                              0          20                   40        60          80              100

                 A total of 26 percent of the organizations investigated use SPF. County councils top the list
                 at over 50 percent.
                 In the currently applicable measurement, we only consider whether or not the domain has
                 an SPF item published. We do not assess the content, except to verify that it is an SPF item.
                 Domain Keys Identified Mail - DKIM
                 Domain Keys Identified Mail (DKIM) is a standard that protects selected parts of an e-mail
                 header and the content of an e-mail message from being modified by a third party. Any
                 modifications can be detected by the receiving party by using cryptography to sign a
                 control total of these parts with a private key. Along with the private key, a public key is
                 required to verify that the signature is correct. This public key is published by the sender in
                 its DNS.
                 The DKIM signature is subsequently sent with the message as part of the e-mail header.
                 The receiving software validates the message received against the signature and the public
                 DKIM key. As a result, any changes can be detected.
                 Author Domain Signing Practices (ADSP) is used to detect unauthorized removal of the
                 signature. Using ADSP, the sender can inform the recipient whether or not the domain in
                 question signs its messages. This information is also distributed via the sender’s DNS.
                 ADSP has been a proposed standard since August 2009. Its function is documented in
                 RFC 5617. In brief, the RFC defines a type of record that can announce whether a domain
                 signs its outgoing e-mail and how other servers can access and interpret this information.

                                                       Page 31 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 By searching for the public DKIM keys, it is possible to find out which domains sign their
                 e-mail using DKIM. However, the method used to find these domains cannot distinguish
                 between domains that use DKIM and those that use its predecessor, DomainKeys. The main
                 reason is that DKIM and DomainKeys publish their keys in similar ways.
                 Because of the way the standard for DKIM is designed, it is not possible to determine in an
                 exact manner whether or not a domain uses DKIM. However, using the method of
                 measurement we used in the study, it is still possible to obtain an answer that is close to the
                 true status. In 2007, the DKIM standard was relatively new. At that time, we could not see
                 any use for it that was worth noting.
                 In the 2008 study, we found only two domains with DKIM activated, and in principle, the
                 result for 2009 is equally poor.
                 It is also possible to combine the SPF and DKIM technologies if desired. However, in this
                 year’s study, we chose not to look into how many organizations chose to do this.

                 WORTH KNOWING
                 Sender Policy Framework (SPF) is a method for preventing e-mail messages from being sent
                 with a false domain name in the sender address, that is to say that the sender uses a different
                 address to his or her own as the sender address. Read more about SPF at
                 Another method for preventing this phenomenon is Domain Keys Identified Mail (DKIM).
                 DKIM is based on cryptography; the sender’s post office signs (“stamps”) all outgoing post.
                 Recipients can, in turn, verify this stamp.
                 DKIM is a relatively new standard; further information is available at
                 The purpose of DKIM is to counteract phishing, which is a type of spam with a false sender
                 used to trick Internet users into providing sensitive information.

                                                       Page 32 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      9          Key parameters for web servers
                 Information and services provided via web interfaces have become increasingly common,
                 and many organizations are entirely dependent on having functional web services that are
                 accessible to their customers or to citizens in the community. Actions can be taken to
                 ensure redundancy for web services. It can be a good idea to consider these if critical
                 functions are provided online.

      9.1        Connection of web servers
                 If all of an organization’s name servers are connected to a single service provider, it does not
                 matter whether the web servers are also located with this provider. If the service provider
                 experiences availability problems, then the web servers will be unreachable. If the name
                 servers are located with two different service providers, the organization could also consider
                 locating the web servers with a third service provider to ensure the greatest possible

      9.2        Software for web servers
                 This year, as in past years, we looked at which software for web servers was used in the
                 organizations investigated. The clearly dominant software remained Microsoft Internet
                 Information Server (Microsoft IIS) and Apache. Other software had more or less disappeared
                 from the scene. The fluctuations between 2008 and 2009 are difficult to explain in any
                 simple manner without carrying out a deeper investigation of the material. Currently, we
                 see this as less interesting. What could be interesting to note is that the dominance of
                 Microsoft software among the organizations investigated has no equivalent either in the .se
                 zone as a whole (section 10) or internationally.

                 Graph 16: Software used for web servers

                 2007                              59                                          29             4       8

                 2008                    37                              21        2                   40

                 2009                              58                                          32                 3   7

                        0                 20                    40                  60                 80                 100

                                                 Microsoft IIS       Apache     Lotus Domino   Other

                                                       Page 33 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      9.3        Support for transport security
                 Using certificates and the accompanying encryption keys, a web browser can establish
                 secure, encrypted communication with the web server.
                 For a user who wants to contact a Swedish government authority or a bank, for example, it
                 is important to know that the server being contacted is the correct server, and that the user
                 has not for some reason connected to the wrong service or server due to an incorrect
                 configuration or intentional fraud.
                 One of the methods also used for this purpose is Transport Layer Security (TLS). TLS/SSL
                 gives users the opportunity to check that a connection has been made with the correct server
                 or service. (See section 8.1 above, Worth Knowing, for a description of TLS/SSL.)
                 The web browser checks that the address entered in the web browser is the server address
                 included in the web certificate. If the addresses are not the same, the user receives a warning
                 that something may be wrong, as shown in the example below.

                 In the 2007 study, only 25 percent of the web servers investigated had support for TLS/SSL,
                 while the corresponding figure for 2008 was 75 percent. The studies cannot be compared
                 from year to year, because we changed the method used to contact the web servers. In 2009,
                 we only tested what response we received on an HTTP and HTTPS GET to the domain
                 names in the test group with “www.” inserted first.
                 A total of 663 domains were included in the study material for 2009. Of these, 165 web
                 servers (25 percent) returned a reasonable response to issues related to certificates. Of these
                 25 percent, 78 percent had certificates issued by an issuer (Certification Authority) that
                 could be seen as recognized and generally accepted. Our definition of “approved” was
                                                       Page 34 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 inclusion on the list of root certificates installed in the Mozilla Firefox web browser. Most of
                 the certificates were issued by the issuers Verisign, Thawte, Equifax and Comodo.

                                                          TLS with unrecognized CA 22 %

                                                TLS with recognized CA 78 %

                 A consequence of using certificates that are either issued by the registrant itself or by a CA
                 not deemed recognized or generally accepted is that visitors to these websites have no way
                 to verify they have reached the correct website, thus rendering the protection quite useless.
                 It is also insufficient to have a certificate issued for the web server. The certificate must also
                 fulfill certain fundamental requirements that should be met by this type of security
                 mechanism. For example, the certificate must be valid, it must use secure algorithms, the
                 keys must be sufficiently long, and so on.
                 Of the websites investigated, we can state that more than 20 have certificates that are
                 invalid because they have not been renewed during the validity period. One of these
                 certificates expired five years ago, in July 2004, but is still used because it de facto returns
                 responses via HTTPS.
                 The measurement of web servers was carried out on several occasions. During the
                 measurement period in autumn 2009, it was interesting to see how a Swedish government
                 authority’s certificate passed its final validity period without any action being taken by the
                 A very small number of web servers used what are known as EV certificates (extended
                 validation), which are a type of certificate that convey increased visual support in web
                 browsers to show that the certificate is approved and that the issuer has been reviewed more
                 carefully than an ordinary server certificate.
                 A surprisingly high number of web servers use MD5 as a hash algorithm. Various
                 researchers have carried out successful collision attacks on this algorithm, meaning that they
                 have successfully generated false SSL certificates that can be used to create certificates for
                 arbitrary websites. The consequence is that a web browser cannot detect the falsification,
                 but instead approves these false certificates and displays a locked padlock indicating a secure
                 connection, without warnings.

                                                       Page 35 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 WORTH KNOWING
                 MD5 is a hash function that takes a bit string of arbitrary length and creates a “fingerprint”
                 with a defined length. An important characteristic of a hash function is that a minor change
                 in the bit string creates a completely different result. The hash value (result) should not
                 reveal anything about the content of the bit string. In other words, the hash function should
                 be a one-way function which is easy to calculate one way but difficult, if not impossible, to
                 calculate the other way. A collision occurs when two different bit strings result in the same
                 hash value. A digital signature is comprised of a hash value which, in RSA, is encrypted
                 with a private key. The signature is validated by comparing the hash value that is
                 recalculated with the hash value that is decrypted with the public key. Thus, if a collision
                 can be generated, it is possible to falsify a signature. Weaknesses in MD5 have been
                 recognized since the end of the 1990s. The attacks that have been carried out leave no doubt
                 that MD5 must be replaced.

                 About 40 domains use what are known as wildcard certificates, or certificates that are
                 unrelated to the domain name. A wildcard SSL certificate activates SSL encryption on
                 several subdomains using a single certificate, provided that the domains are controlled by a
                 single organization and have a single main domain. Sharing certificates among domains is
                 far from risk-free, in part because:
                     • If security at one server or subdomain has been compromised, there is a risk that all
                         subdomains have also been compromised.
                     • If wildcard certificates must be replaced, all subdomains will also require new
                 The best solution to the problem is simply to use a unique certificate for each server instead
                 of using wildcard certificates.
                 Five of the certificates reviewed were usable for CA (Certification Authority) purposes,
                 meaning that it was possible to create new certificates from them.
                 A number of certificates were configured with relatively short RSA keys, 512 bits, while the
                 most common key lengths are currently 1,024 and 2,048 bits, respectively.
                 It surprised us that the handling of certificates in the test groups’ web environment was of
                 such poor quality in all respects as shown in the study. This type of encryption use has
                 existed for some time and is apparently common. Among the organizations included in the
                 study, we had expected better results, primarily in terms of the use of valid, current
                 certificates issued by credible issuers. In this part of the study, we want to state that
                 substandard use of web certificates undermines the credibility of this type of security
                 Anything that results in a user having to click on icons that in practice mean “Yes, I know
                 that this doesn’t add up, but let me proceed anyway”, including self-signed certificates or
                 certificates that are no longer valid, which combined comprise between 25 and 33 percent
                 of all certificates, contributes to the establishment of a poor security culture among Internet
                 users. This counteracts the fundamental concept behind server certificates – namely users’
                 ability to know with complete certainty that they are connected to the correct server.

                                                       Page 36 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 All organizations that, on their websites, request some form of information from users, such
                 as a login, personal information, user information, payment information, credit card
                 numbers, telephone numbers, etc. should use TLS/SSL with certificates issued by generally
                 accepted certificate issuers, which are installed in the most common web browsers. These
                 organizations must have an individual with internal responsibility for such tasks as
                 monitoring when certificates expire and must be renewed. In addition, they can consider:
                 -      Using the longest RSA keys possible.
                 -      Using EV certificates where possible.
                 -     Avoiding the use of wildcard certificates for web services, especially for subcontracted
                     operation of web hotels or cloud services, where organizations do not control their own
                     key material and certificates.
                 -      Using hardware support to save private keys for sensitive web servers.
                 At, those who use certificates
                 to protect web services can check whether a website has adequate security in terms of SSL.

                                                       Page 37 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      10         Comparison with the .se zone as a whole
                 In the 2009 study, we examined a cross-section of randomly selected domains from the .se
                 zone to check whether our test group was better or worse than the .se zone as a whole. In the
                 graphs below, “All” represents the current test group, while “Entire .se zone” represents the
                 random selection of 10,000 domains from a version of the zone file dated October 1, 2009.
                 Above all, we examined the breakdown of errors and warnings, and how the test group –
                 which included several critical functions and organizations – compared with the .se zone as
                 a whole.

                 Graph 17: Number of errors and warnings

                   ERRORS          0

                        All                                          77                                         7         9        7

                 Entire .se zone                              65                                   7       12                 16


                        All                            52                             15               8                 25

                 Entire .se zone                         56                           5        8                    31

                                   0             20                   40                  60                80                         100

                                                              0 errors/warnings   1   2        3 or more

                 Apparently, no major differences exist, although the number of errors appears to be lower in
                 our test group than in the .se zone as a whole.
                 The major differences first become apparent when we examine the other specific areas we
                 have reviewed more closely, apart from the parameters we associate with DNS quality in
                 accordance with the definition in section 5. In the test group, the number of organizations
                 using SPF is higher, as is the number of organizations using recursive name servers, the
                 number using DNSSEC and the number protecting their e-mail with TLS. The conclusions
                 that can be drawn from these results are not immediately apparent. Additional, more
                 specific studies are required.
                 However, we can note, for example, that the number of organizations using IPv6 is much
                 higher in the test group than in the .se zone as a whole. A probable partial explanation is
                 that seen in Graph 8: universities and colleges have made more progress than other
                 organizations in the implementation of IPv6. Another part of the explanation could be that

                                                       Page 38 of 47
                                                             Reachability on the Internet
                                                             Health Status of .SE 2009


                 municipalities and government authorities have framework agreements with suppliers that
                 are based on specifications of requirements that include the use of IPv6.

                 Graph 18: Use of IPv6

                           Use of IPv6                   9


                 Recursive name servers

                       Use of DNSSEC

                            TLS e-mail

                                          0                       20                     40                      60       80   100
                                                                              Health status 2009        Entire .se zone

                                                       Page 39 of 47
                                                  Reachability on the Internet
                                                  Health Status of .SE 2009


                 The same explanation probably applies for the major difference between which software is
                 used for web servers; in the test group, Microsoft IIS dominates, while the trend in the .se
                 zone as a whole resembles that seen in the rest of the world in that Apache is the dominant
                 software. Systems that feature public procurement and framework agreements contribute to
                 a homogenization of the IT environments of public administrations which may not always
                 be optimal.

                 Graph 19: Software for web servers

                        All                                  58                                   32           3   7

                 Entire .se zone             28                                         67                          5

                                   0               20                   40             60              80               100

                                                        Microsoft IIS     Apache   Lotus Domino   Other

                                                       Page 40 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


      11         Advice and recommendations
                 After carrying out a new round of tests with relatively similar results to those carried out in
                 2008, we continue to see the same considerable need for much greater coordination of
                 different stakeholders for improved security on the Swedish part of the Internet. In
                 particular, we see opportunities for extensive efficiency gains and cost savings.
                 Primarily, we believe that organizations in public administration should be able to agree on
                 recommendations and a plan of action for the following activities:

                 •   Critical resources in Sweden should have name servers that are connected to several
                     service providers simultaneously, for example with the use of Anycast technology. At a
                     central level, someone must establish a definition of critical resources.

                 •   Consider the possibility of setting up shared secondary DNS operations for critical
                     services, for example through the Swedish Internet nodes where these could be
                     connected as an extra measure to create redundancy. Such a function could be regulated
                     through an agreement.

                 •   Establish a shared function for virus “decontamination” and spam removal located in
                     Sweden. This would be more efficient and would probably result in resource savings. It
                     would also mean that government authority information would not leave the country.

                 •   Issue guidelines on what is acceptable in terms of managing spam and virus
                     decontamination in public administrations. It should be unacceptable for Swedish
                     government authorities and municipalities to send their e-mail abroad, at least not
                     without the establishment of relevant, uniform requirements for transport security and

                 •   Issue recommendations stating that e-mail servers for critical operations at Swedish
                     government authorities and utilities should be physically located in Sweden to protect
                     the traceability of information sent between government authorities and to protect
                     against the consequences of what is known as the FRA law.

                 •   Establish requirements for public administrations regarding the use of both e-mail and
                     web servers with TLS for source and transport security.

                 •   Make all services available with IPv6 and establish long-term plans for a systematic
                     transition to IPv6 in the entire public administration.

                 •   Protect web servers with certificates issued by generally accepted certificate issuers and
                     maintain control of their validity.
                 For public administrations, it should be possible to address several of these activities in the
                 framework of the e-delegation’s task. In addition to the above activities, further actions
                 should be taken, including at the service provider level, to strengthen Internet
                 infrastructure. Primarily, these actions are the responsibility of the Swedish Post and
                 Telecom Agency, as the supervising authority, and relate to setting requirements for the
                 service providers.

                                                       Page 41 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 Appendix 1 – Industry standard for high-quality
                 DNS service
                 For the more technically skilled reader, we have provided in this appendix a more detailed
                 description of the industry standard for high-quality DNS service in terms of
                 recommendations. You can easily test your domain yourself on .SE’s website.

                 .SE has further developed the DNSCheck tool so that it is now also possible to carry out
                 what are known as undelegated domain tests. An undelegated domain test is a test carried
                 out on a domain that can be (but does not have to be) entirely published in DNS. This
                 function is highly useful, for example if a domain registrant plans to move a domain from
                 one name server operator to another. For example, let us say that the domain is
                 to be moved from the name server “” to the name server “”. In this case, an
                 undelegated domain test can be carried out on the domain ( using the name
                 server to which the domain will be moved ( BEFORE the move itself is
                 implemented. When the test shows a green light, it is probably certain that the domain’s
                 new home at least knows that it should respond to queries regarding the domain. However,
                 errors in the zone information may still exist and may not be detected by this test.
                 This function is available in both Swedish and English at:
                 1. AT LEAST TWO NAME SERVERS
                 Recommendation: DNS data for a zone should be located on at least two separate name
                 servers. For reasons of availability, these name servers should be logically and physically
                 distinct so that they are located in different service-provider networks in different
                 autonomous systems (AS).
                 Explanation: At least two functioning name servers should exist for each underlying
                 domain. They should be listed as NS entries for the domain in question. They should be
                 physically separate and located in different network segments to obtain optimum
                 functionality. This will ensure that the domains continue to function even if one of the
                 name servers stops functioning.
                 Consequence: When the sole server or sole service provider experiences a disruption, the
                 DNS service will be rendered unreachable for the domain on that server or in the service
                 provider’s network. Accordingly, the services from the domain will not be reachable, even if
                 they are located with entities other than the organization’s own name server operator.

                 Recommendation: All of the NS entries listed in the overlying zone (.se or equivalent) to
                 point out (delegate) a certain domain should also simultaneously exist in the underlying
                 Explanation: NS entries are used in the overlying zone to transfer responsibility for
                 (delegate) a certain domain to other servers. According to the DNS documentation, this list
                 of computers should also be found in the zone file that “receives” the responsibility and that
                 contains other data about the zone. The lists must be kept synchronized so that all NS
                 entries included in the parent zone also found in the child zone. The list in the parent zone

                                                       Page 42 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 is not automatically updated; it is only updated after a “manual” report is submitted to the
                 responsible registration unit. If changes are required that entail a change to the overlying
                 zone, the administrative contact for the underlying zone shall immediately inform the
                 registration unit.
                 Consequence: If the parent zone contains information about the child zone that de facto
                 does not exist in the child zone, this means that anyone submitting queries about the
                 domain will not receive a response, resulting in an impact on availability.
                 3. AUTHORITY
                 Recommendation: All name servers listed with NS entries in a delegated zone shall
                 assume authoritative responsibility for the domain.
                 Explanation: When checking the subdomain servers, it should be possible to obtain
                 consistent and repeatable authoritative responses for SOA and NS entries for the subdomain.
                 This applies to all servers listed in the underlying zone’s DNS for the domain in question.
                 Consequence: The DNS usually functions even if this error exists. However, an error
                 existing in a zone indicates weaknesses in the procedures of the party responsible for the
                 content of the domain’s DNS.
                 Recommendation: All name servers listed with NS entries in the delegated zone shall
                 respond with the same serial number in the SOA entry for the domain.
                 Explanation: The serial number in the SOA entry is a type of version number for the zone,
                 and if the servers have the same serial numbers for their zones, this indicates that they are
                 synchronized. This is controlled by sending SOA-entry queries to each server and
                 comparing the serial numbers of the responses. SOA stands for Start of Authority.
                 Consequence: If the name servers are not synchronized and do not have the same version of
                 the zone file, the entity submitting a query about a domain risks not receiving a response.
                 Availability is affected.
                 5. CONTACT ADDRESS
                 Recommendation: The zone contact address in the SOA entry must be reachable.
                 Explanation: The SOA entry for a domain includes, along with other sub-entries, an e-mail
                 address that is to serve as a contact point if the administrator of the domain in question
                 needs to be reached. In simple checks, e-mail servers for the e-mail address shall not provide
                 obvious error messages (for example “user unknown”). In more detailed checks, it should be
                 possible to send test messages to the address and receive responses to these within three
                 Consequence: The reason for having a current e-mail address for contacts is that it must be
                 possible to quickly call attention to problems relating to the reachability of a domain. If
                 such an address does not exist, it will become more difficult to solve problems arising in the
                 DNS due to an individual domain.
                 6. REACHABILITY
                 Recommendation: All NS entries in the underlying zone must be reachable for DNS
                 traffic from the Internet.
                 Explanation: The NS entries for a domain comprise the list of the computers that function
                 as name servers for the domain. All listed servers must be reachable via the Internet at all of
                                                       Page 43 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 the addresses listed in the corresponding address entries in the DNS for the computers in
                 Consequence: If a name server is not reachable despite its name being included in the list
                 of name servers that respond to queries about a domain, this means that entities submitting
                 queries will not receive responses. Availability will be affected.

                                                       Page 44 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 Appendix 2 – Open recursive name servers
                 The fundamental problem is not actually open recursive name servers, but the fact that
                 service providers do not filter traffic by sender addresses. If they did, then open recursive
                 resolvers might not be considered a problem. Since such filtering is relatively difficult and
                 costly to implement, we need to attempt to limit the damage caused by DDOS attacks in
                 the meantime until the service providers have managed to solve the fundamental problem.
                 We consider closing a recursive resolver to be a worthwhile and simple task for many
                 organizations, since it will help ease problems arising from DDOS attacks.
                 P ointers for further information
                 The following links provide high-quality, informative material about DDOS and open
                 recursive name servers.
                 Secure Domain Name System (DNS) Deployment Guide

                 DNS Amplification attacks
                 An excellent description of how these attacks occur and what they entail.

                 Official advice from the US CERT
                 The Continuing Denial of Service Threat Posed by DNS Recursion

                 ISC BIND. Here you can find source codes and binaries for BIND and links to highly
                 interesting and useful information.

                 BIND 9 Administrator Reference Manual.
                Includes examples of configuration, practical tips and detailed descriptions of BIND

                                                       Page 45 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 Appendix 3 – More information about DNSSEC
                 In recent years, all the new threats against DNSs have led to DNSSEC becoming
                 increasingly relevant to organizations. The most important known threats to a DNS include
                 cache poisoning and pharming. Pharming means that someone directs the actual content of
                 a DNS to incorrect servers. In practical terms, this means that an Internet address, such as
                 that of a bank, can be redirected to a completely different server, but for the visitor, the
                 address field continues to appear to be the correct server.
                 Cache poisoning means that a situation is created – either by launching an attack or
                 unintentionally – that provides a name server with DNS data that does not come from an
                 authoritative source. One of the most recent examples of this in 2008 was the much-
                 discussed Kaminsky bug.
                 There is no doubt that DNSs need to become more secure. DNSSEC is a long-term solution
                 that protects against several types of manipulation of DNS queries and responses
                 transmitted between different servers in the domain name system.
                 With .se, Sweden was the first country in the world to commence the functioning
                 implementation of DNSSEC. .SE’s DNSSEC services and products are presented under the
                 logo below.

                 For further information on .SE’s DNSSEC service, see
                 At the following website, .SE provides additional information on DNS vulnerabilities:
                 The website’s functions include allowing users to check whether the resolver they are using
                 is vulnerable to the Kaminsky bug and whether DNSSEC is used for a domain.
                 Here are some pointers to further information:

                 Information on DNSSEC and the advances in both its use and the tool.

                 A practical guide on how to implement DNSSEC.

                 News from the DNSSEC Deployment Initiative is distributed regularly at:
                                                       Page 46 of 47
                                                 Reachability on the Internet
                                                 Health Status of .SE 2009


                 Development project – OpenDNSSEC
                 DNS is relatively complex, as are electronic signatures. Naturally, the combination of these
                 in DNSSEC is also complex. The purpose of OpenDNSSEC is to manage these difficulties
                 and relieve system operators of responsibility for them once the operators have set up the

                 By participating in the development of a turnkey system for signing zone files with
                 DNSSEC, .SE hopes to facilitate the spread of DNSSEC.

                 OpenDNSSEC is being developed in the framework of a collaboration among .SE, Nominet,
                 NLNet Labs, SIDN, SURFnet, Kirei and John Dickinson. Further information is available
                 at The software, which is openly available, can also be downloaded
                 from and tested at

                                                       Page 47 of 47

To top