Security Strategy, Plan, Budget

DNSSEC adoption increasing, but still extremely low

Despite a recent upswing in the adoption of DNSSEC, the actual number of "zones" that have been signed for the protocol is still low, making most organizations vulnerable, according to a new survey.

DNSSEC, a set of security extensions that provide authentication of DNS data to defend against attacks such as cache poisoning, uses digital, cryptographic signatures to ensure that the server to which a user believes they are connecting is the correct one.

A sixth-annual DNS survey from network infrastructure and control solutions provider Infoblox, conducted by The Measurement Factory, found that DNSSEC adoption increased by 340 percent this year. However, just .02 percent of zones currently are signed for the standard.

“Adoption is increasing, but it is still pretty paltry,” Cricket Liu, vice president of architecture at Infoblox, told on Monday. “I'd hoped the needle would have shifted more substantially because the .org zone was signed.”

What makes DNSSEC adoption particularly cumbersome is that for end-users and website owners to benefit, all members of the DNS chain must participate. These are the root, the top-level domains (such as .com and .org), and second-level domains (such as, as well as internet service providers, which maintain DNS servers. Each zone must be authenticated and signed through the creation of a public and private “key pair.”

DNSSEC was enabled at the root zone this summer.

The .org top-level domain (TLD) began supporting DNSSEC in June, Liu said. In addition, the .net TLD is expected to soon follow, while the .com and .edu TLDs are expected to be signed by early next year.

In the Infoblox survey, almost a quarter of the zones that have currently been DNSSEC-signed failed validation because their signatures had expired, Liu said.

“So that means even our very small percentage adoption rate is overcounting it because about a quarter aren't in production because they don't validate correctly,” he said.

As a result, the large majority of organizations with a web presence are vulnerable to cache poisoning attacks, by which a cybercriminal directs users to the website of their choosing without the user even realizing it. There, users can, for instance, be stripped of banking credentials or be forced to download malware.

While thought of as a new standard to some, DNSSEC has been around since the mid-1990s. In its latest form, it is several years old.

“The standard has really been nailed down – there are several implementations of it,” Liu said. “If you want to deploy a signed zone, you have several choices in tools.”

However, in some cases, the tools are relatively difficult to use, he said. In addition, there is an education gap – many of those responsible for managing zones do not understand DNSSEC. And the economic climate is another factor that is likely holding back adoption. Because of the downsizing that has occurred at many organizations, IT security professionals have fewer resources to throw at DNSSEC.

But with the TLDs all expected to be signed by early next year, 2011 will be a “make or break” year for DNSSEC, Liu said.

“If we don't see substantial adoption at the end of 2011, it is hard to see DNSSEC being successful in the long term without regulation [requiring it],” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.