Search DNSSEC Blog


Wednesday, September 22, 2010

Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption

.gov domains not using DNSSEC according to first independent study into the deployment of Domain Name Security Extensions across all .gov domains by IID

TACOMA, Wash.--(BUSINESS WIRE)--IID (Internet Identity), a provider of technology and services that help organizations secure Internet presence, today announced it has identified major online security holes for U.S. government organizations in its “Q3 State of DNS Report”. According to the report, a majority of Federal agency run .gov domains are not signing their DNS (Domain Name System) with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption. DNSSEC is designed to ensure DNS entries are not poisoned in transit, so users are not taken to an unintended Internet destination.

The report was the first independent study into the deployment of DNSSEC across a majority of .gov domains including Federal, state, local, Native American and others. .gov domains are not published publicly, but IID was able to track down a majority of them for this study. IID analyzed the DNS of more than 2,900 .gov domains and found:
  • 421 Federal .gov domains are fully authenticated with DNSSEC out of 1,185 (36 percent)
  • Two percent of Federal .gov domains signed with DNSSEC are incorrectly configured and fail completely when DNSSEC checks are done at some DNS resolvers
  • Another two percent of Federal .gov domains have basic DNS misconfigurations that keep them from operating properly at all 
  • Two states, Idaho and Vermont, have successfully authenticated many of their domains with DNSSEC – a good sign for non-Federal adoption
“This should be a wakeup call that DNSSEC, likely for a multitude of reasons, is still not being implemented across a wide spectrum of .gov domains despite a mandate to do so,” said IID president and CTO Rod Rasmussen. “Furthermore and even more worrisome, there is a small percentage of .gov domains that are adopting but not properly utilizing DNSSEC, leaving organizations with a false sense of security and likely problems for their users.”
A January 2010 report prepared by the Center for Strategic and International Studies (CSIS) titled, "In the Crossfire – Critical Infrastructure in the Age of Cyber-War," found 57 percent of 600 IT and security professionals polled had experienced DNS poisoning attacks – which DNSSEC is supposed to stop. According to the IT and security professionals questioned, the cost of downtime incurred from a network infrastructure attack like DNS poisoning on their organizations was more than six million dollars a day.
“DNS is still the wild west of Internet infrastructure and it remains relatively wide open for cyber criminals today," said Online Trust Alliance (OTA) Founder and President Craig Spiezle. "It is essential for organizations to not only adopt DNSSEC, but also utilize various other solutions which help ensure online trust.”

More findings from the IID report including how improperly implementing DNSSEC has actually hamstrung some domains can be found at Rod Rasmussen will discuss the findings of this report while at the OTA Online Trust & Cybersecurity Forum in Washington, D.C. this Friday, September 24.

About IID

IID (Internet Identity) has been providing technology and services that secure the Internet presence for an organization and its extended enterprise since the company was founded in 1996. It recently started delivering the industry’s first and only solution for detecting, diagnosing and mitigating domain name system (DNS) security and configuration issues for an organization and its extended enterprise. IID also provides anti-phishing, malware and brand security solutions for many of today’s leading financial service firms, e-commerce, social networking and ISP companies, and more. The company is working hard to deliver solutions that help keep the Internet safe and trusted for businesses. IID is headquartered in Tacoma, Washington. More information can be found at

Source: Business Wire, Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption, Retrived on September 22, 2010 from


Friday, September 17, 2010

Microsoft Points to IE 9 Security Measures

Internet Explorer 9, released on Wednesday in beta form, doesn't talk to strangers.

At least that's the thinking when it comes to the security parameters in the new browser. Users will get more of a warning than in the past when they download unknown files with IE 9, for instance.

"Our features are kind of like 'stranger danger' against malware and other threats," said Dean Hachamovitch, Microsoft's corporate vice president of Internet Explorer. "Internet Explorer 9 is the only browser that uses download reputation to help users make safety decisions."

For the new browser, Microsoft is tapping filtering technology that has already repelled at least 1.3 billion malicious downloads. The key feature to look for in the IE 9 beta is the download manager, which integrates Microsoft's SmartScreen Filter.

The IE 9 beta introduces the "SmartScreen download reputation" feature, which uses site reputation data to "remove unnecessary warnings for well-known files, and show more severe warnings when the download has a higher risk of being malicious," according to Microsoft's announcement.
Brian Hall, general manager of Windows Live and Internet Explorer, said that IE 8 was the most secure browser ever built. He added that IE 9 simply takes that capability forward with its "database" of trusted and nontrusted Web sites.

"With IE 9, we make it plain what's dangerous and what's not but we understand that our security is never done," Hall said. "We'll have to continue to invest heavily in the ability to create a safe enterprise and customer experience."

Chenxi Wang, principal analyst of security and risk management at Forrester Research, predicted before the IE 9 launch event that "some sort of malware detection and Web site reputation capability built right into the browser" would be seen in the IE 9 beta. However, she'd like to see implementation of other browser security measures. For instance, support could be added for Domain Name System Security Extensions (DNSSEC) to help verify Web sites.

"I'd like to see some kind of visual cue to users whether the Web site they are going to is a DNSSEC-validated domain name," she said.

Trust is an issue with so-called "drive-by installs," where malware can be spread by getting the user to visit a malicious Web page. Users can also be led to click on a malicious link if it's sent by a trusted source.

Will the release of IE 9 bring fewer security bulletins to Windows users? The answer is "No," according to Rob Juncker, vice president of technology at Shavlik Technologies, a company that makes security software.
"Are we saying that we won't see a security bulletin that resembles something along the lines of 'vulnerability in Internet Explorer 9.0 could allow remote code execution?' Absolutely not," Juncker said. He did credit Microsoft somewhat, adding that Microsoft seems to "have realized how to guard the wall better than they have in the past."

Source:, Microsoft Points to IE 9 Security Measures, Jabulani Leffall, Retrieved on 09/16/2010 from


Tuesday, September 7, 2010

EURid: .eu DNSSEC chain of trust complete

Brussels, 6 September 2010 - EURid, the registry for the .eu top-level domain, is pleased to announce that .eu has a complete 'chain of trust' for Domain Name System Security Extensions (DNSSEC), an Internet security standard, with the addition of .eu DNSSEC key material to the Internet's root zone.