Skip Links

5 years after major DNS flaw is discovered, few US companies have deployed long-term fix

DNSSEC adoption stalls outside of federal government

By , Network World
January 29, 2013 06:35 AM ET

Page 3 of 3

Consider the case of Akamai, which carries between 15% and 30% of all Web traffic and supports 20 top global e-commerce sites, 30 top media companies and 8 of the top 10 U.S. banks. Akamai offers DNSSEC support on its Enhanced DNS Service, but it has been working for several years to figure out how to support the emerging security standard on its core content delivery service.

"For our DNS mapping service, we have end users coming from all over the world to 150,000 servers. That's a pretty sizeable and interesting DNS file," explains Andy Ellis, chief security officer of Akamai. "The way that DNSSEC was written was that DNS was a static file. Most organizations have a small zone file that doesn't change more than once a month. ... The DNS file that we use has roughly 3.2 billion [resource records] to give out and sign, and we change them every 20 seconds. ... For us, we're getting into really gross numbers, and we're working on ways to improve that."

Ellis concedes that "DNSSEC is important to do" but says that few of Akamai's corporate clients are asking for it or are interested in verifying their DNS traffic at this point in time. "What we see catching a lot more steam is the migration to [Secure Sockets Layer], which is still not perfect but it is a significant step in improving security," Ellis says.

The only segment of Akamai customers asking for DNSSEC is federal agencies, Ellis says.

"The e-commerce sites don't care much because they have a huge [worry] about denial-of-service attacks," Ellis says. "Financial services firms are very concerned about failure. They are very concerned about a bad client deployment of DNSSEC that would cause them to go dark. So they are putting in enhanced validation with SSL."

Ellis says U.S. companies responded to the disclosure of the Kaminsky flaw by patching their DNS software with easy workarounds rather than taking the time to deploy DNSSEC, which is a more complete but also a more complex solution.

"I don't think the Kaminsky flaw is that big of an issue right now," Ellis says. "DNSSEC doesn't solve the problems that are very real to [U.S. companies] ... like rolling denial of service attacks and phishing-based fraud. That's where we see a lot more of their time and energy being spent."

Read more about lans & wans in Network World's LANs & WANs section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News