U.S. Government misses DNSSEC deadline
by Steve Ragan - Jan 25 2010, 09:00Network World recently published a report based on research from DNS vendor Secure64, which said that 80-percent of the federal domains (.gov) were lacking when it came to implementation of DNSSEC (DNS Security Extensions).
The lack of DNSSEC on .gov domains is interesting because there was a mandate issued by the Office of Management and Budget (OMB) that said every federal agency had to implement it before the end of 2009. The OMB made this mandate thanks to Dan Kaminsky’s discovery of cache poisoning flaws in DNS. Kaminsky is noted for pointing out that DNSSEC was the only long-term fix for the flaws he discovered.
Security 64 looked at 360 federal domains and discovered that only twenty percent showed signs of digital signatures on their domains, the hallmark of DNSSEC when it is implemented.
“Eighty percent don't have any signatures up there. One can speculate about why that is. They may be working on it but haven't pushed the signatures into production yet. All you can tell from the outside looking in is that there's no evidence of progress on the DNSSEC mandate,” Mark Beckett, vice president of marketing for Secure64, told Carolyn Duffy Marsan in an exclusive interview for Network World.
DNSSEC will prevent DNS attacks that make it trivial for a domain to be spoofed, and while there is a mandate for .gov domains to use it, other top-level domains such as .com and.net are being switched over as well.
According to VeriSign, the process for switching to DNSSEC on the .com and .net domains is moving along nicely. There have been some problems they said, but the problems so far were to be expected.
In 2009, VeriSign announced that they would start with smaller scale DNSSEC implementation and progressively increase it in size until it was complete, adding that they anticipated completing the DNSSEC implementation on .net and .com by the first quarter of 2011.
“Successfully implementing DNSSEC will involve the entire Internet ecosystem, from registrars and ISPs to browser vendors. Because the reliable operation of .com and .net is crucial around the world, we must take a cautious and orderly approach to this roll-out. VeriSign is committed to helping registrars and ISPs make the implementation decisions that are right for them,” said Ken Silva, CTO of VeriSign at the time.
The Network World story is here. [Printer view on a single page]
Comment on this Story