Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Dot-com domains still lack DNSSEC security

The new security extensions for DNS were enabled on the .com domain, but none of the 100 most popular sites has upgraded

It's been over two weeks since the DNS Security Extensions (DNSSEC) system was turned on for .com domain names. This is an end stage for a process that will one day let surfers be 100 percent confident they're accessing the site they think they are, and have not been diverted by hackers.

In those two weeks, various network engineers have probably been working like crazy to add the necessary DNSSEC extensions to their domain names...right? After all, it's not as if DNSSEC has come out of nowhere. It's been in discussion since the last century, with VeriSign indicating early in 2009 that it would switch .com by 2011.

Care to guess how many of the .com domains within the Top 100 most popular Website list, as mentioned in a BBC News article last year, are currently making use of DNSSEC for their .com domains?

None.

Actually, that's not quite true. The Mozilla.com domain doesn't use DNSSEC but Mozilla.org does, and that's what most of us visit. So, well done Mozilla! And boo shucks to virtually every other online business at the moment. (And an additional shout-out for network infrastructure company Infoblox, which alerted me to the fact that DNSSEC take-up hasn't exactly been a gold rush, pointing out they were among the first 200 .coms to make the move.)

How about the top 10 U.S. banks, including Bank of America, JP Morgan Chase, Citigroup, Wachovia? After all, it's with online banking that DNSSEC is really needed.

Not one is yet secured with DNSSEC, as far as I can tell.

You can test DNSSEC usage for yourself using the DNSSEC Validator extension in Mozilla Firefox. (Search the add-ons gallery to find it.) This will display a key symbol alongside the Website address, should you access any domain that's been signed via DNSSEC. Ideally the padlock should be green but it'll probably be orange because very few DNS resolvers used by ISPs are themselves upgraded to DNSSEC, and therefore can't yet conclusively prove sites are genuine.

Alternatively you can visit VeriSign Labs' DNSSEC debugger and search. Or, if you're using Linux or a Mac, open a terminal window and use the dig +dnssec command, followed by the domain; to check google.com, for example, you'd type dig +dnssec google.com. Look for an RRSIG line in the results. If it's not there, DNSSEC hasn't been added to that domain. (Windows users can download the dig tool to use at the command line.)

Beware that the public DNS services offered by Google and OpenDNS both appear to strip out the DNSSEC components of DNS records at the present time, which isn't entirely helpful if DNSSEC is to become mainstream.

Admittedly, adding DNSSEC to some domains is not trivial. Consider Google, for example, which uses astonishingly sophisticated load-balancing to ensure everybody worldwide can always get a speedy response. However, as mentioned, DNSSEC isn't a bolt out of the blue. There's been time to put a plan in place.

In a statement, Google told me that they "think that DNSSEC is important," and that they're actively looking into it, but declined to give details of when, how, or even if it will happen.

Ultimately, upgrading to DNSSEC is a series of chicken-and-egg situations. Nobody in the chain, from end-user to Website operators, is compelled to make any changes right now.

For example, I run a handful of Websites but the hosting service I use doesn't yet offer DNSSEC, so I can't upgrade even if I wanted to. The hosting service probably won't offer DNSSEC until people like me start demanding it.

Even once it's available, I'll have to think hard about implementing DNSSEC because it'll add a small but significant cost to running a Website, not to mention complexity. However, the cost could be folded into domain registration fees, removing this cost for all but the bottom-dollar registrars.

Upgrading my domains to DNSSEC at the moment is an academic exercise, because very few DNS resolvers offered by ISPs around the world support DNSSEC. In other words, I can make the switch but it would make no difference to visitors. So, why should I?

It's hard to figure out who can break this status quo. It almost certainly won't be a grassroots effort; end users might question why they need DNSSEC. Doesn't HTTPS already do that job? (Answer: Yes, but the system is falling apart at the seams.)

Ultimately, it's down to the big tech companies to show the way forward and to make a fuss about doing so, so that we'll all follow suit. Because of this, the coming year is undoubtedly going to prove whether DNSSEC is little more than a clever idea.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: BBC, etwork, Google, Infoblox, JP Morgan, Linux, Morgan, Mozilla, Mozilla.org, PAM, SEC, VeriSign, Wachovia, Wikipedia
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: BBC, mozilla, phishing, security, spam, VeriSign, viruses
Latest Blog Posts
Whitepapers
  • The Need for DLP (data leak prevention) now
    When it comes to the terabytes of confidential and proprietary data on corporate networks, companies often use kid gloves to secure the data. This begs the question, why are office supplies subject to a higher level of security than the data? Many organisations are turning to a DLP solution to help them in gaining control over their seemingly uncontrolled data stores.
    Learn more »
  • So Long, Silos: Why Multi-Domain MDM Is Better For Your Business
    Say “so long” to silos. This white paper explains why a multi-domain MDM solution is far better than single-domain, single-focused point solutions. You’ll learn what to look for in a multi-domain solution so you don’t outgrow it or are forced to purchase multiple products down the road. You’ll also get tips on how to select a multi-domain solution that can lead to multiple benefits over many years. The age of multi-domain MDM is here. See why you should say “hello” to it!
    Learn more »
  • Enterprise Buyers Guide for Printers
    Every enterprise owns, and regularly replaces, printers, copiers, multifunctional products and fax machines. The problem most face is not too few choices, but too many. How do you even begin to select the right one? Here is the Computerworld guide to buying a printer for the enterprise.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments