Agencies way behind in using DNSSEC to secure .gov domains

More than two years after the deadline for deploying the DNS Security Extensions in .gov domains, fewer than 60 percent of agencies have digitally signed their records in the Domain Name System, according to a study by Secure64 Software Corp.

The company queried websites for 359 agencies and found that 205 of them, about 57 percent, had implemented the signatures.

“That’s evidence that they are trying to deploy DNSSEC,” said Mark Beckett, marketing vice president for the security company.


Related story:

Government's 'orphan websites' could be stalling .gov security




The figure was up from about 50 percent from a study of the same sites a year ago, but it still falls short. “I would have hoped for a bigger leap,” Beckett said.

Of those agencies that have digitally signed their records, the vast majority have established the chains of trust that enable the signatures to be validated so that visitors can be assured that they are visiting a legitimate site and that their traffic has not been hijacked.

Beckett said it is primarily smaller agencies that are not yet using DNSSEC, and that the delay could be caused by a combination of lack of awareness and lack of resources.

The Domain Name System, which maps Internet domain names such as gcn.com to numerical IP addresses, underlies nearly all Internet activities. DNSSEC uses digital signatures to authenticate DNS data that is returned to query responses. This will help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to misdirect traffic to malicious sites for fraud and the distribution of malware.

A growing number of the Internet’s Top Level Domains are deploying DNSSEC, but to be fully effective DNSSEC must be deployed throughout the Internet’s domains and subdomains so that the digital signatures can be validated as trustworthy.

Interest in deploying the security protocols was sparked in 2008 with the discovery of a vulnerability that would enable easy exploitation of weaknesses in the Domain Name System. The .gov top-level domain was signed in early 2009, and DNSSEC was fully deployed by operators of the Internet’s authoritative root zone in July 2010, providing a trust anchor that now can tie together “islands of trust” that have been created by the deployment of DNSSEC in isolated domains.

Under a 2008 mandate from the Office of Management and Budget, agencies were supposed to deploy DNSSEC within their domains by the end of 2009, but that deadline has long passed without having been met by many agencies.

The exact percentage of signed .gov domains is difficult to determine because there is no authoritative number for domains. There could be as many as 5,000 domains within .gov, about 1,900 of them federal. The rest could be owned state or local governments. A list of executive branch sites posted on Data.gov lists 1,736 sites.

Lee Ellis, the .gov program manager for the General Services Administration, last year called the estimated 50 percent figure for signed domains unacceptable.

Of the 205 signed domains discovered by Secure64, 161 have established the chain of trust to the parent domain, so that their signatures can be verified as valid by another server, Beckett said. Most of those are operating properly. Only three sites were found to return errors in validating their signatures. That number, though small, is significant, Beckett said.

“If you deploy it, you’d better deploy it right,” he said. Service providers such as Comcast have begun enabling DNSSEC validation on their networks. When the signature of a digitally signed site cannot be validated, the network can drop that request without a connection. “Your domain is offline for all intents and purposes” on that network, Beckett added.

There are a number of other hurdles to full deployment of DNSSEC, which requires not only digitally signing records so that they can be validated but also managing the cryptographic signing keys that must be periodically changed to remain secure. Remaining challenges include:

  • A lack of adequate vendor support, although this is changing as vendors move into the marketplace with tools and services to automate and simplify signing and key management.
  • Technical problems because products from different vendors are not always interoperable.
  • Infrastructure upgrades that are needed to support signing in some environments.
  • Funding and resources, along with personnel and training issues.
  • Contractual barriers with vendors that can delay needed upgrades.
  • Getting the word out to all agencies of the need to deploy DNSSEC.



Reader Comments

Mon, Mar 19, 2012

What happens when the attacker uses an anonymizer and then steals millions of dollars because people failed to follow security guidelines. I guess the consumer doesn't matter and the lack of IT security is ok.

Mon, Mar 19, 2012 A .GOV Domain Mgr

Per http://usgv6-deploymon.antd.nist.gov/snap-all.html - the .GOV (Executive Branch) is at 59 Percent (1595 domains tested as of March 11, 2012) isn't bad, considering Industry (1068 .COM, .ORG & .NET domains tested) is at ONE Percent (1%) Univeristy (346 .EDU domains tested). The Government relies on the expertise of our industry partners, but what does it say to Government when industry (including most banks) hasn't deployed DNSSEC.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above