DNSSEC adoption increasing, but still extremely low

Share this article:
Despite a recent upswing in the adoption of DNSSEC, the actual number of "zones" that have been signed for the protocol is still low, making most organizations vulnerable, according to a new survey.

DNSSEC, a set of security extensions that provide authentication of DNS data to defend against attacks such as cache poisoning, uses digital, cryptographic signatures to ensure that the server to which a user believes they are connecting is the correct one.

A sixth-annual DNS survey from network infrastructure and control solutions provider Infoblox, conducted by The Measurement Factory, found that DNSSEC adoption increased by 340 percent this year. However, just .02 percent of zones currently are signed for the standard.

“Adoption is increasing, but it is still pretty paltry,” Cricket Liu, vice president of architecture at Infoblox, told SCMagazineUS.com on Monday. “I'd hoped the needle would have shifted more substantially because the .org zone was signed.”

What makes DNSSEC adoption particularly cumbersome is that for end-users and website owners to benefit, all members of the DNS chain must participate. These are the root, the top-level domains (such as .com and .org), and second-level domains (such as google.com), as well as internet service providers, which maintain DNS servers. Each zone must be authenticated and signed through the creation of a public and private “key pair.”

DNSSEC was enabled at the root zone this summer.

The .org top-level domain (TLD) began supporting DNSSEC in June, Liu said. In addition, the .net TLD is expected to soon follow, while the .com and .edu TLDs are expected to be signed by early next year.

In the Infoblox survey, almost a quarter of the zones that have currently been DNSSEC-signed failed validation because their signatures had expired, Liu said.

“So that means even our very small percentage adoption rate is overcounting it because about a quarter aren't in production because they don't validate correctly,” he said.

As a result, the large majority of organizations with a web presence are vulnerable to cache poisoning attacks, by which a cybercriminal directs users to the website of their choosing without the user even realizing it. There, users can, for instance, be stripped of banking credentials or be forced to download malware.

While thought of as a new standard to some, DNSSEC has been around since the mid-1990s. In its latest form, it is several years old.

“The standard has really been nailed down – there are several implementations of it,” Liu said. “If you want to deploy a signed zone, you have several choices in tools.”

However, in some cases, the tools are relatively difficult to use, he said. In addition, there is an education gap – many of those responsible for managing zones do not understand DNSSEC. And the economic climate is another factor that is likely holding back adoption. Because of the downsizing that has occurred at many organizations, IT security professionals have fewer resources to throw at DNSSEC.

But with the TLDs all expected to be signed by early next year, 2011 will be a “make or break” year for DNSSEC, Liu said.

“If we don't see substantial adoption at the end of 2011, it is hard to see DNSSEC being successful in the long term without regulation [requiring it],” he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.