DNSSEC adoption increasing, but still extremely low

Share this article:
Despite a recent upswing in the adoption of DNSSEC, the actual number of "zones" that have been signed for the protocol is still low, making most organizations vulnerable, according to a new survey.

DNSSEC, a set of security extensions that provide authentication of DNS data to defend against attacks such as cache poisoning, uses digital, cryptographic signatures to ensure that the server to which a user believes they are connecting is the correct one.

A sixth-annual DNS survey from network infrastructure and control solutions provider Infoblox, conducted by The Measurement Factory, found that DNSSEC adoption increased by 340 percent this year. However, just .02 percent of zones currently are signed for the standard.

“Adoption is increasing, but it is still pretty paltry,” Cricket Liu, vice president of architecture at Infoblox, told SCMagazineUS.com on Monday. “I'd hoped the needle would have shifted more substantially because the .org zone was signed.”

What makes DNSSEC adoption particularly cumbersome is that for end-users and website owners to benefit, all members of the DNS chain must participate. These are the root, the top-level domains (such as .com and .org), and second-level domains (such as google.com), as well as internet service providers, which maintain DNS servers. Each zone must be authenticated and signed through the creation of a public and private “key pair.”

DNSSEC was enabled at the root zone this summer.

The .org top-level domain (TLD) began supporting DNSSEC in June, Liu said. In addition, the .net TLD is expected to soon follow, while the .com and .edu TLDs are expected to be signed by early next year.

In the Infoblox survey, almost a quarter of the zones that have currently been DNSSEC-signed failed validation because their signatures had expired, Liu said.

“So that means even our very small percentage adoption rate is overcounting it because about a quarter aren't in production because they don't validate correctly,” he said.

As a result, the large majority of organizations with a web presence are vulnerable to cache poisoning attacks, by which a cybercriminal directs users to the website of their choosing without the user even realizing it. There, users can, for instance, be stripped of banking credentials or be forced to download malware.

While thought of as a new standard to some, DNSSEC has been around since the mid-1990s. In its latest form, it is several years old.

“The standard has really been nailed down – there are several implementations of it,” Liu said. “If you want to deploy a signed zone, you have several choices in tools.”

However, in some cases, the tools are relatively difficult to use, he said. In addition, there is an education gap – many of those responsible for managing zones do not understand DNSSEC. And the economic climate is another factor that is likely holding back adoption. Because of the downsizing that has occurred at many organizations, IT security professionals have fewer resources to throw at DNSSEC.

But with the TLDs all expected to be signed by early next year, 2011 will be a “make or break” year for DNSSEC, Liu said.

“If we don't see substantial adoption at the end of 2011, it is hard to see DNSSEC being successful in the long term without regulation [requiring it],” he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.