Skip Links

5 years after major DNS flaw is discovered, few US companies have deployed long-term fix

DNSSEC adoption stalls outside of federal government

By , Network World
January 29, 2013 06:35 AM ET

Page 2 of 3

"There are lots of products and services available that make DNSSEC deployment easy. I don't think that's the barrier," Beckett says. "Companies only have so much money to work on security initiatives. This is not the top one that people are focused on."

Universities, which are often at the cutting edge of network technology, are similarly slow at deploying DNSSEC. Of 346 university domains monitored by NIST, only 17 have fully deployed DNSSEC. Leaders include Bucknell University, University of California Berkeley and Indiana University. Laggards include Harvard University, Yale University and Princeton University.

The only sector in the United States that is deploying DNSSEC is the federal government, which is required by law to do so. Federal agencies were under a mandate from the Office of Management and Budget to have supported DNSSEC by Dec. 31, 2009.

Recent surveys show the majority of U.S. federal agencies have met that mandate:

  • Secure64 found that 65% of the 359 agencies it tested were signing their domains and that 80% of these organizations had fully deployed DNSSEC standards.
  • Similarly, NIST found that 76% of the 1,396 U.S. government domains tested had operational DNSSEC, and another 5% were in progress of deploying this standard.

"We've helped government agencies deploy DNSSEC in a matter of weeks, once the decision of vendor is made," Beckett says. "I'm hopeful that at least within the banking sector some of the major banks will cross this threshold in 2013 and will have deployed DNSSEC by January 2014."

Comcast says it has experienced few technical problems with its DNSSEC deployment, which covers all of its residential customers.

"Within our online forums and other public places and in the DNSSEC community, we've received very positive reviews of our DNSSEC service and the lack of issues associated with it," Griffiths says. "It's been well received within the DNSSEC community and our customer base."

However, Griffiths notes that while Comcast's residential customers are protected by DNSSEC, few of its small or midsize business customers are asking for the add-on security measure.

"We're certainly investigating products and services to support that," Griffiths says. "We want to roll out something that ... adds automation to help them roll this out themselves, so they are getting the benefit of using our DNS cache resolvers but are signing their own domains."

Griffiths says he sees momentum for DNSSEC among top-level domains; for example, Canada in January began signing its .ca top-level domain. But he expects it to take several years before DNSSEC is widely deployed by U.S. corporations.

"I absolutely expect banks, other companies and ISPs to take advantage of it," Griffiths says. "It takes time and planning, and I would expect it to roll out slowly. ... We've proven that DNSSEC can be rolled out at scale, and we hope people will follow our lead."

[ MORE: 6 signs that the U.S. is overtaking the world at IPv6 ]

One barrier to DNSSEC deployment is that it is extremely difficult for content delivery networks (CDNs) to sign data dynamically as is required by the standard. That's why popular CDNs such as Akamai and Limelight haven't fully deployed DNSSEC yet.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News