DNSSEC spreads slowly through government domains
Connecting state and local government leaders
Nine months after the OMB deadline for digitally signing Domain Name System records, only a few have successfully implemented the security protocols, according to a new study.
Nine months after the deadline for federal agencies to implement DNS Security Extensions in their Internet domains, a little more than one-third have successfully deployed the security protocols, according to a new study.
The study, conducted for the Internet security company Internet Identity, found that 38 percent of the federal domains tested had been digitally signed using the DNSSEC by mid-September. But 2 percent were incorrectly configured so that signatures could not be validated.
(Read the study here.)
The news was not entirely bad, said Rod Rasmussen, president and CTO of Internet Identity.
“It’s not as bad as I feared, but it’s not as good as I had hoped for,” he said.
Related coverage:
DNSSEC poised to transform Internet
Need to deploy DNSSEC? NIST publishes its how-to
The adoption of DNSSEC, which helps to prevent malicious exploits of the Internet’s Domain Name System, has been increasing in recent months, at the top of the DNS hierarchy and also in the lower-level domains. But “DNSSEC is not easy,” Rasmussen said, and administrators still are absorbing the lessons that are being learned.
The Domain Name System maps Internet domain names to IP addresses and underlies nearly all Internet activities. DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This will help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware.
To be fully effective, DNSSEC must be deployed throughout the Internet’s domains. The Internet’s 13 root zone DNS servers have been digitally signed since May. On July 15 the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests. The publication of the trust anchor for the Internet root makes it possible to begin linking together the “islands of trust” that have been created by the deployment of DNSSEC in isolated domains.
One of those domains is the .gov Top Level Domain. The Office of Management and Budget in 2008 declared that DNSSEC would be deployed to .gov by January 2009 and mandated agencies to deploy it within their subdomains by December 2009.
The largest Top Level Domain to deploy DNSSEC to date has been .org, which contains about 8 million domain names. The .info TLD, which contains more than 6.5 million registered domains, was digitally signed earlier this month. The Internet’s largest domain, .com, with around 80 million registered domain names, is expected to be signed next year.
Determining the exact number of .gov domain names being used by the federal government is not simple, as there is no authoritative public source. Internet Identity was able to identify 2,941 .gov domains in use, the majority of which, 57 percent, are run by state and local governments. Only 1,185, or 40 percent, are owned by federal agencies. But there could be as many as 2,000 other .gov domains now registered, Rasmussen said. If the ratio of federal owners remained constant, that could mean another 800 or so federal domains.
Tests of the 1,185 federal .gov domains identified by Internet Identity found that 421, or 36 percent, could successfully authenticated using DNSSEC. Another 20 domains had been signed but could not be authenticated, which means those domains would be cut off from end users relying on DNSSEC.
The federal government maintains a list of 868 federal .gov domains along with their DNSSEC status. Of that list, a total of 315, or 36 percent, are signed, the same percentage as that in the Internet Identity study.
The difficulty in deploying DNSSEC is that it can be management intensive because of the need not only to sign the DNS records but also to manage the cryptographic keys used to sign and authenticate. Algorithms can be used to help automate the signing process and management, but not all algorithms work well in every environment. These challenges are compounded by the fact that DNS has required very little attention from administrators for most of the life of the Internet and most enterprises have little expertise in managing it.
Commercial tools are being offered to automate deployment, but the technology is far from mature and many lessons still are being learned about their strengths and weaknesses and problems that remain to be worked out.
“As people get more confident with it and more tools come out, we can expect to see the rate accelerate,” Rasmussen said. But the lessons being learned still need to be incorporated into tools so that administrators do not have to go to online discussion groups looking for answers to problems. “That does not scale.”