Skip Links

80% of government Web sites miss DNS security deadline

Opinions differ as to whether Dec. 31, 2009, deadline was realistic

By , Network World
January 21, 2010 05:00 AM ET

Page 2 of 3

OMB's DNSSEC mandate applies to executive branch departments and agencies that run .gov Web sites. (The Defense Department's .mil Web sites are exempt.) OMB required that .gov would be cryptographically signed at the top level by Jan. 31, 2009, and that milestone was reached a month later in February 2009.

Individual agencies were required to support DNSSEC in all of their subdomains such as by Dec. 31, 2009. Agencies that appear to have met this deadline include the Commerce and Interior Departments, while the Treasury Department and the Department of Homeland Security have not.

Once it's fully deployed, DNSSEC will have a broad impact on the U.S. public. That's because it will ensure that citizens who think they are visiting federal Web sites are not redirected elsewhere. For example, citizens who file their taxes online, want to be sure that when they type into their browsers, they go to a Web site operated by the Internal Revenue Service and not a scam artist trying to steal their social security numbers.

DNSSEC is a hierarchical system, and it requires authentication at every step in the process of matching a domain name with the corresponding IP address. In order for a user to receive an authenticated response from a government Web site like, DNSSEC needs to be deployed on the Internet's root servers, the .gov domain servers and the subdomain servers operated by the IRS.

"If everything was DNSSEC enabled, it would make it extremely difficult to forge a DNS response," says Ken Silva, CTO of VeriSign, which is deploying DNSSEC on the Internet's root servers as well as the .com and .net domains. "Having said that, it truly needs to be DNSSEC from end-to-end in order to have an impact."

Hoffman points out that there is marginal value for agencies to deploy DNSSEC until the DNS root is signed, which will happen this summer.

"It's a shame more agencies aren't ready for DNSSEC," Hoffman says. "After the root is signed, those agencies that are ready will be coming up to speed much more quickly than those that are not."

Despite the promise of DNSSEC to improve the trustworthiness of the government's online services, many agencies haven't devoted money or personnel to the DNSSEC mandate, experts say.

Other agencies have run into technical glitches as they've deployed DNSSEC.

"When we go to deploy DNSSEC, sometimes there are networking issues where some part of the network might be getting in the way of the digital signatures or sometimes there are firewall issues," Beckett says, adding that these are normal debugging issues rather than major technical hurdles to DNSSEC deployment.

VeriSign says it has run into some difficulties deploying DNSSEC across the root, .com and .net servers, but nothing worse than it expected.

"We've found some technical roadblocks around network equipment including firewalls and load balancers," Silva says. "We've had some versions of those devices act funny with a packet if it's larger than it was normally expecting to be….That's why it's so important to test your own systems and make sure that DNSSEC is not going to cause any problems."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News