Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

DNSSEC Finally Arrives for .Com TLDs

A major milestone for DNSSEC has been reached today, as this morning DNSSEC was officially signed for the .Com TLD. Following several other Top Level Domains already supporting DNSSEC, the added level of security can now be enabled for the more than 90 million .Com names which have been registered according to VeriSign, the operator of .com.

A major milestone for DNSSEC has been reached today, as this morning DNSSEC was officially signed for the .Com TLD. Following several other Top Level Domains already supporting DNSSEC, the added level of security can now be enabled for the more than 90 million .Com names which have been registered according to VeriSign, the operator of .com.

DNSSEC for .ComDNSSEC is designed to protect the Domain Name System from authentication exploits, primarily cache poisoning which can allow internet requests to be intercepted, allowing an attacker to access a website, e-mail, or other services, and redirect or spy on the users without their knowledge.

DNSSEC applies digital signatures to DNS data to authenticate the data’s origin and verify its integrity as it moves throughout the Internet. The security extensions are designed to protect the DNS from attacks intended to redirect queries to malicious sites by corrupting DNS data stored on recursive servers. The successful implementation of DNSSEC will greatly reduce a hacker’s ability to manipulate DNS data. The resulting digital signatures on that DNS data are validated through a “chain of trust.”

“The importance of DNSSEC in solving issues of trust on the Internet has reached a tipping point with the signing of .com — one of the most significant milestones in the history of DNSSEC to date. However, there is still more work to be done and the effective deployment of DNSSEC requires collaboration from all parties in the Internet ecosystem,” said Gartner Research Director Lawrence Orans.

The technology community seems to still have many questions about DNSSEC, and lack understanding of even the basics of it. According to a very recent study of internal and external IT personnel in charge of Internet security at large organizations, half of the respondents either hadn’t heard of DNSSEC or expressed limited familiarity with it. The survey alsorevealed that those who do understand the technology believe key obstacles including lack of training/implementation services, slow ISP resolver rollout and limited client-aware applications will lead to a two to five year adoption period.

The study which surveyed a targeted group of 100 corporate IT security experts, was conducted by IID (Internet Identity), a provider of technology and services that help organizations secure their Internet presence, in coordination with the Online Trust Alliance.

Some of the findings of the IID survey include:

1) 50 percent of respondents have never heard of DNSSEC or don’t understand it clearly.

2) Of those who are familiar with DNSSEC, a vast majority correctly identified the key benefits for the technology. When asked, “What is the purpose of DNSSEC,” the number one answer was to, “Prevent cache-poisoning attacks at recursive nameservers (e.g. your ISP).”

Advertisement. Scroll to continue reading.

3) Of those surveyed, only one percent acknowledged their organization has experienced losses to date due to cache poisoning attacks.

4) The majority of respondents believe it will take two to five years for DNSSEC to become widely adopted in their industry, and all believe that adoption is inevitable.

5) Only five percent of those polled said their organization has already implemented DNSSEC for their domains, while an additional 16 percent plan to implement it.

6) According to those surveyed, the two biggest overall obstacles to DNSSEC adoption today are Internet Service Provider deployment of DNSSEC resolvers and DNSSEC- aware client applications like browsers and email.

7) When asked about the biggest roadblock to individual DNSSEC adoption, the number one answer was, “Not enough vendors offering services to implement it.”

8) That said, many respondents plan to implement it themselves. In response to “Who would you choose to provide a DNSSEC PUBLISHING (authoritative records and keymanagement)” and “Who would you expect to be able to provide a DNSSEC resolving (running recursive nameservers my employees use) implementation for your organization?,” a preponderance of respondents answered, “My own internal IT staff.”

“While the security community and Federal Government have recognized value of DNSSEC, in order to realize the true benefit, the ecosystem including browser vendors, registrars and the business community must work together to secure the DNS before a major exploit occurs,” said Craig Spiezle, Executive Director and President, Online Trust Alliance.

“This survey provides key insight into the market’s knowledge (or lack thereof) regarding DNSSEC, and what the future may hold with the security standard,” said IID President and CTO Rod Rasmussen. “Perhaps unsurprisingly, about half of all respondents do not have a clear understanding of the technology or its benefits, indicating the industry still has its work cut out. However, those who have familiarity with DNSSEC seem to understand its key benefits and current challenges, which is promising for eventual adoption.”

Related Reading: Deploying DNSSEC – Four Ways to Prepare Your Enterprise for DNSSEC

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Related Reading: The Missing Ingredients for DNSSEC Success

Related Reading: Do Recent BGP Anomalies Shed a Light on What’s to Come?

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...