Agencies way behind in using DNSSEC to secure .gov domains
- By William Jackson
- Mar 16, 2012
More than two years after the deadline for deploying the DNS Security Extensions in .gov domains, fewer than 60 percent of agencies have digitally signed their records in the Domain Name System, according to a study by Secure64 Software Corp.
The company queried websites for 359 agencies and found that 205 of them, about 57 percent, had implemented the signatures.
“That’s evidence that they are trying to deploy DNSSEC,” said Mark Beckett, marketing vice president for the security company.
Government's 'orphan websites' could be stalling .gov security
The figure was up from about 50 percent from a study of the same sites a year ago, but it still falls short. “I would have hoped for a bigger leap,” Beckett said.
Of those agencies that have digitally signed their records, the vast majority have established the chains of trust that enable the signatures to be validated so that visitors can be assured that they are visiting a legitimate site and that their traffic has not been hijacked.
Beckett said it is primarily smaller agencies that are not yet using DNSSEC, and that the delay could be caused by a combination of lack of awareness and lack of resources.
The Domain Name System, which maps Internet domain names such as gcn.com to numerical IP addresses, underlies nearly all Internet activities. DNSSEC uses digital signatures to authenticate DNS data that is returned to query responses. This will help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to misdirect traffic to malicious sites for fraud and the distribution of malware.
A growing number of the Internet’s Top Level Domains are deploying DNSSEC, but to be fully effective DNSSEC must be deployed throughout the Internet’s domains and subdomains so that the digital signatures can be validated as trustworthy.
Interest in deploying the security protocols was sparked in 2008 with the discovery of a vulnerability that would enable easy exploitation of weaknesses in the Domain Name System. The .gov top-level domain was signed in early 2009, and DNSSEC was fully deployed by operators of the Internet’s authoritative root zone in July 2010, providing a trust anchor that now can tie together “islands of trust” that have been created by the deployment of DNSSEC in isolated domains.
Under a 2008 mandate from
the Office of Management and Budget, agencies were supposed to deploy DNSSEC within their domains by the end of 2009, but that deadline has long passed without having been met by many agencies.
The exact percentage of signed .gov domains is difficult to determine because there is no authoritative number for domains. There could be as many as 5,000 domains within .gov, about 1,900 of them federal. The rest could be owned state or local governments. A list of executive branch sites
posted on Data.gov lists 1,736 sites.
Lee Ellis, the .gov program manager for the General Services Administration, last year called the estimated 50 percent figure for signed domains unacceptable.
Of the 205 signed domains discovered by Secure64, 161 have established the chain of trust to the parent domain, so that their signatures can be verified as valid by another server, Beckett said. Most of those are operating properly. Only three sites were found to return errors in validating their signatures. That number, though small, is significant, Beckett said.
“If you deploy it, you’d better deploy it right,” he said. Service providers such as Comcast have begun enabling DNSSEC validation on their networks. When the signature of a digitally signed site cannot be validated, the network can drop that request without a connection. “Your domain is offline for all intents and purposes” on that network, Beckett added.
There are a number of other hurdles to full deployment of DNSSEC, which requires not only digitally signing records so that they can be validated but also managing the cryptographic signing keys that must be periodically changed to remain secure. Remaining challenges include:
- A lack of adequate vendor support, although this is changing as vendors move into the marketplace with tools and services to automate and simplify signing and key management.
- Technical problems because products from different vendors are not always interoperable.
- Infrastructure upgrades that are needed to support signing in some environments.
- Funding and resources, along with personnel and training issues.
- Contractual barriers with vendors that can delay needed upgrades.
- Getting the word out to all agencies of the need to deploy DNSSEC.
William Jackson is freelance writer and the author of the CyberEye blog.