Search DNSSEC Blog

DNSSEC NEWSFLASH

Wednesday, September 22, 2010

Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption

.gov domains not using DNSSEC according to first independent study into the deployment of Domain Name Security Extensions across all .gov domains by IID

 
TACOMA, Wash.--(BUSINESS WIRE)--IID (Internet Identity), a provider of technology and services that help organizations secure Internet presence, today announced it has identified major online security holes for U.S. government organizations in its “Q3 State of DNS Report”. According to the report, a majority of Federal agency run .gov domains are not signing their DNS (Domain Name System) with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption. DNSSEC is designed to ensure DNS entries are not poisoned in transit, so users are not taken to an unintended Internet destination.

The report was the first independent study into the deployment of DNSSEC across a majority of .gov domains including Federal, state, local, Native American and others. .gov domains are not published publicly, but IID was able to track down a majority of them for this study. IID analyzed the DNS of more than 2,900 .gov domains and found:
  • 421 Federal .gov domains are fully authenticated with DNSSEC out of 1,185 (36 percent)
  • Two percent of Federal .gov domains signed with DNSSEC are incorrectly configured and fail completely when DNSSEC checks are done at some DNS resolvers
  • Another two percent of Federal .gov domains have basic DNS misconfigurations that keep them from operating properly at all 
  • Two states, Idaho and Vermont, have successfully authenticated many of their domains with DNSSEC – a good sign for non-Federal adoption
“This should be a wakeup call that DNSSEC, likely for a multitude of reasons, is still not being implemented across a wide spectrum of .gov domains despite a mandate to do so,” said IID president and CTO Rod Rasmussen. “Furthermore and even more worrisome, there is a small percentage of .gov domains that are adopting but not properly utilizing DNSSEC, leaving organizations with a false sense of security and likely problems for their users.”
 
A January 2010 report prepared by the Center for Strategic and International Studies (CSIS) titled, "In the Crossfire – Critical Infrastructure in the Age of Cyber-War," found 57 percent of 600 IT and security professionals polled had experienced DNS poisoning attacks – which DNSSEC is supposed to stop. According to the IT and security professionals questioned, the cost of downtime incurred from a network infrastructure attack like DNS poisoning on their organizations was more than six million dollars a day.
“DNS is still the wild west of Internet infrastructure and it remains relatively wide open for cyber criminals today," said Online Trust Alliance (OTA) Founder and President Craig Spiezle. "It is essential for organizations to not only adopt DNSSEC, but also utilize various other solutions which help ensure online trust.”

More findings from the IID report including how improperly implementing DNSSEC has actually hamstrung some domains can be found at www.internetidentity.com/resources/trend-reports. Rod Rasmussen will discuss the findings of this report while at the OTA Online Trust & Cybersecurity Forum in Washington, D.C. this Friday, September 24.

About IID

IID (Internet Identity) has been providing technology and services that secure the Internet presence for an organization and its extended enterprise since the company was founded in 1996. It recently started delivering the industry’s first and only solution for detecting, diagnosing and mitigating domain name system (DNS) security and configuration issues for an organization and its extended enterprise. IID also provides anti-phishing, malware and brand security solutions for many of today’s leading financial service firms, e-commerce, social networking and ISP companies, and more. The company is working hard to deliver solutions that help keep the Internet safe and trusted for businesses. IID is headquartered in Tacoma, Washington. More information can be found at www.internetidentity.com.

Source: Business Wire, Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption, Retrived on September 22, 2010 from businesswire.com/news/home/20100922006548/en

Share

1 comment: