Half of federal Web sites fail DNS security test

Most agencies more than a year behind in meeting DNSSEC mandate

Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows.

The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security — called DNS Security Extensions or DNSSEC — on their .gov Web sites by Dec. 31, 2009.

However, an independent study conducted this month shows that 51% of agencies are out of compliance with the requirement to deploy DNSSEC, which is also necessary for high marks in agency report cards under the Federal Information Security Management Act or FISMA.


DNSSEC is an Internet standard that prevents hackers from hijacking Web traffic and redirecting it to bogus sites. It allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption.

In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .gov, .com and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

DNSSEC was enabled in the root zone last July. More than a dozen top-level domains - including .org for non-profits, .edu for universities and .net for networking companies - support the standard.

Related Events: DNS gains added measure of security starting today 

Secure64 Software Corp., a DNS vendor, tested 360 federal agencies for evidence of digital signatures on their .gov domains. The company ran the same test a year ago and found that only 20% of federal Web sites were in compliance with the DNSSEC mandate.

"We checked which ones of those Web sites were signed, which is the first step to deploying DNSSEC," says Mark Beckett, vice president of marketing and product management for Secure64. "Last year, that number was 20%. This year, that number is 49%."

2010 DNSSEC Survey 

Secure64's findings show progress on the DNSSEC front, with the number of federal agencies digitally signing their domains having more than doubled. "But if you think the government should be fully deployed by now, it's a disappointing number," Beckett added.

Secure64 examined only .gov domains, eliminating federal Web sites that end in .mil, .com or .org from its research because the OMB mandate only applies to .gov Web sites.

"The sample size is large enough that these numbers are very believable and conceivable with what we see out in the market," Beckett says.

Leaders in DNSSEC deployment include the State Department, which is 100% compliant, and the Department of Labor, which is 90% compliant, according to the Secure64 survey.

Among the agencies that appear to be lagging in DNSSEC deployment include the Treasury Department, which is signing only one of its dozen subdomains.

Beckett says agencies are even further behind in establishing a chain of trust with their parent domains, which is the second step in DNSSEC deployment after signing a DNS zone.

"Of the folks with signed domains...only about 20% have established a chain of trust with their parent," Beckett says. "The fact that more than half of the agencies have not yet signed and an even larger percentage haven't established their chain of trust tells you the difficulty for anybody - including federal agencies - in deploying this. It's evidence of the complexity of doing this."

Secure64 sells automated systems for DNSSEC deployment; a typical customer spends less than $100,000 on their systems.

Other vendors sell DNSSEC services built into broader product suites, such as IP address management offerings from Infoblox and BlueCat Networks or load balancing systems from F5.

DNSSEC will continue to be in the news this year because VeriSign has committed to supporting the security technology in the .com domain in March. The Internet's largest domain, .com has more than 90 million registered domain names, according to the latest VeriSign Domain Name Industry Brief.

Background on VeriSign's DNSSEC plans

"I think the .com signing is a really important event," Beckett says. "I think it's going to create a much bigger market for products and services that make DNSSEC easier. You can see from our statistics that deploying DNSSEC hasn't been the easiest thing. I think you'll see more and more companies like ours that offer products and services that take the pain out of DNSSEC."

The types of DNS attacks that DNSSEC would eliminate are widespread. More than half of IT decision makers report being victims of DNS-based attacks during the last two years, according to a July 2010 survey by Forrester Research. Among the most common forms of DNS attacks are man-in-the-middle attacks and DNS cache poisoning - both of which could be eliminated by DNSSEC.

The U.S. government isn't the only sector dragging its feet on DNSSEC deployment. Only 11% of the nearly 300 IT decision makers surveyed by Forrester Research had adopted DNSSEC, and these IT decision makers represented financial services firms, ISPs, content providers, e-commerce sites and public-sector organizations.

"DNSSEC is not widely known or deployed, but the majority of those who know DNSSEC plan to adopt," the Forrester Research survey said.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022