Security Experts:

DNSSEC Finally Arrives for .Com TLDs

A major milestone for DNSSEC has been reached today, as this morning DNSSEC was officially signed for the .Com TLD. Following several other Top Level Domains already supporting DNSSEC, the added level of security can now be enabled for the more than 90 million .Com names which have been registered according to VeriSign, the operator of .com.

DNSSEC for .ComDNSSEC is designed to protect the Domain Name System from authentication exploits, primarily cache poisoning which can allow internet requests to be intercepted, allowing an attacker to access a website, e-mail, or other services, and redirect or spy on the users without their knowledge.

DNSSEC applies digital signatures to DNS data to authenticate the data's origin and verify its integrity as it moves throughout the Internet. The security extensions are designed to protect the DNS from attacks intended to redirect queries to malicious sites by corrupting DNS data stored on recursive servers. The successful implementation of DNSSEC will greatly reduce a hacker's ability to manipulate DNS data. The resulting digital signatures on that DNS data are validated through a "chain of trust."

"The importance of DNSSEC in solving issues of trust on the Internet has reached a tipping point with the signing of .com -- one of the most significant milestones in the history of DNSSEC to date. However, there is still more work to be done and the effective deployment of DNSSEC requires collaboration from all parties in the Internet ecosystem," said Gartner Research Director Lawrence Orans.

The technology community seems to still have many questions about DNSSEC, and lack understanding of even the basics of it. According to a very recent study of internal and external IT personnel in charge of Internet security at large organizations, half of the respondents either hadn’t heard of DNSSEC or expressed limited familiarity with it. The survey alsorevealed that those who do understand the technology believe key obstacles including lack of training/implementation services, slow ISP resolver rollout and limited client-aware applications will lead to a two to five year adoption period.

The study which surveyed a targeted group of 100 corporate IT security experts, was conducted by IID (Internet Identity), a provider of technology and services that help organizations secure their Internet presence, in coordination with the Online Trust Alliance.

Some of the findings of the IID survey include:

1) 50 percent of respondents have never heard of DNSSEC or don’t understand it clearly.

2) Of those who are familiar with DNSSEC, a vast majority correctly identified the key benefits for the technology. When asked, “What is the purpose of DNSSEC,” the number one answer was to, “Prevent cache-poisoning attacks at recursive nameservers (e.g. your ISP).”

3) Of those surveyed, only one percent acknowledged their organization has experienced losses to date due to cache poisoning attacks.

4) The majority of respondents believe it will take two to five years for DNSSEC to become widely adopted in their industry, and all believe that adoption is inevitable.

5) Only five percent of those polled said their organization has already implemented DNSSEC for their domains, while an additional 16 percent plan to implement it.

6) According to those surveyed, the two biggest overall obstacles to DNSSEC adoption today are Internet Service Provider deployment of DNSSEC resolvers and DNSSEC- aware client applications like browsers and email.

7) When asked about the biggest roadblock to individual DNSSEC adoption, the number one answer was, “Not enough vendors offering services to implement it.”

8) That said, many respondents plan to implement it themselves. In response to “Who would you choose to provide a DNSSEC PUBLISHING (authoritative records and keymanagement)” and “Who would you expect to be able to provide a DNSSEC resolving (running recursive nameservers my employees use) implementation for your organization?,” a preponderance of respondents answered, “My own internal IT staff.”

“While the security community and Federal Government have recognized value of DNSSEC, in order to realize the true benefit, the ecosystem including browser vendors, registrars and the business community must work together to secure the DNS before a major exploit occurs,” said Craig Spiezle, Executive Director and President, Online Trust Alliance.

“This survey provides key insight into the market’s knowledge (or lack thereof) regarding DNSSEC, and what the future may hold with the security standard,” said IID President and CTO Rod Rasmussen. “Perhaps unsurprisingly, about half of all respondents do not have a clear understanding of the technology or its benefits, indicating the industry still has its work cut out. However, those who have familiarity with DNSSEC seem to understand its key benefits and current challenges, which is promising for eventual adoption.”

Related Reading: Deploying DNSSEC - Four Ways to Prepare Your Enterprise for DNSSEC

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Related Reading: The Missing Ingredients for DNSSEC Success

Related Reading: Do Recent BGP Anomalies Shed a Light on What's to Come?

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.