The U.S. Federal Government has taken a lead on DNSSEC implementation by signing the .gov domain this past winter (.GOV DNSSEC Information) and by requiring Federal Agencies under .gov to implement DNS Security Extensions (DNSSEC) for external (public) sites by 5pm Eastern time December 31, 2009 (see OMB Memorandum from the White House).
That is 100 days out from today.
A quick review of SecSpider shows 40-odd DNS zones under .gov are in production, including several state and city zones not covered by the mandate such as Idaho, Vermont, Boston and Chicago.
But missing from the list are Homeland Security (DHS.gov), US-CERT (the United States Computer Emergency Readiness Team), and Whitehouse.gov. (Note to these agencies: Please call me - we do DNSSEC and have deployed in many US Government sites in 3 to 5 days.)
Manual deployment and operation of DNSSEC, including training, documentation, implementing procedures for key rollover, and testing can be done in under 2 months by trained and dedicated personnel. However, most implementations take 3-6 months or more. Finding DNSSEC-knowledgeable people who can be fully dedicated to implementation and who can remain to continue the many ongoing operational requirements is difficult.
The penalty for messing up DNSSEC can mean a site disappears from the Internet. It's a lot to risk if your site is critical to a department or agency's mission. Automation solves these issues.
Let's hope there is a great leap in adoption over the next quarter so the US Government can meet their own adoption requirements in 2009.
Comments