Key security experts unfamiliar with DNSSEC

Half of IT personnel in charge of Internet security at the world’s largest organizations either haven’t heard of DNSSEC or have limited familiarity with it, according to IID.

Those who do understand the technology believe key obstacles including lack of training/implementation services, slow ISP resolver rollout and limited client-aware applications will lead to a two to five year adoption period.

DNSSEC is an emerging Internet security standard. It is designed to protect Internet users from getting misdirected to unintended Internet destinations by ensuring domain name system (DNS) entries remain unchanged in transit. The Internet’s root servers at the top of the DNS hierarchy added DNSSEC support last July.

More than 25 top-level domains—including .gov, .org, .edu and .net—have enabled DNSSEC since then. On March 31, DNSSEC will be enabled on the .com top-level domain, which has more than 80 million registered names according to VeriSign, the operator of .com.

Some of the findings of the IID survey include:

1. 50 percent of respondents have never heard of DNSSEC or don’t understand it clearly.

2. Of those who are familiar with DNSSEC, a vast majority correctly identified the key benefits for the technology. When asked, “What is the purpose of DNSSEC,” the number one answer was to, “Prevent cache-poisoning attacks at recursive nameservers (e.g. your ISP).”

3. Of those surveyed, only one percent acknowledged their organization has experienced losses to date due to cache poisoning attacks.

4. The majority of respondents believe it will take two to five years for DNSSEC to become widely adopted in their industry, and all believe that adoption is inevitable.

5. Only five percent of those polled said their organization has already implemented DNSSEC for their domains, while an additional 16 percent plan to implement it.

6. According to those surveyed, the two biggest overall obstacles to DNSSEC adoption today are Internet Service Provider deployment of DNSSEC resolvers and DNSSEC-aware client applications like browsers and email.

7. When asked about the biggest roadblock to individual DNSSEC adoption, the number one answer was, “Not enough vendors offering services to implement it.”

8. That said, many respondents plan to implement it themselves. In response to “Who would you choose to provide a DNSSEC PUBLISHING (authoritative records and key management)” and “Who would you expect to be able to provide a DNSSEC resolving (running recursive nameservers my employees use) implementation for your organization?,” a preponderance of respondents answered, “My own internal IT staff.”

“This survey provides key insight into the market’s knowledge (or lack thereof) regarding DNSSEC, and what the future may hold with the security standard,” said IID President and CTO Rod Rasmussen. “Perhaps unsurprisingly, about half of all respondents do not have a clear understanding of the technology or its benefits, indicating the industry still has its work cut out. However, those who have familiarity with DNSSEC seem to understand its key benefits and current challenges, which is promising for eventual adoption.”

“While the security community and Federal Government have recognized value of DNSSEC, in order to realize the true benefit, the ecosystem including browser vendors, registrars and the business community must work together to secure the DNS before a major exploit occurs,” said Craig Spiezle, Executive Director and President, Online Trust Alliance. “We are encouraged by the adoption of leading government sites and look forward to working with industry leaders including IID to develop tools, resources and prescriptive advice to accelerate adoption with leading banking and ecommerce sites.”