« DNSSEC gets real; Mozilla Firefox browser add-on provides a key | Main | Security, confidence and progress »

03/24/2010

The USA is behind in DNS security

If you fear the United States is lagging in Internet security don't read this post.

Carolyn Duffy Marsan of Network World has an article, Top U.S. domain name registrars lag on DNS security, highlighting how U.S. DNS registrars, including Network Solutions and Go Daddy, are taking a wait and see attitude regarding adoption of DNS security extensions (DNSSEC):

The leading domain name registrars in the United States appear to be dragging their feet on the deployment of DNS Security Extensions, an emerging standard that prevents an insidious type of hacking attack where network traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing.

DNSSEC prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Cache poisoning attacks are possible because of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

In order for Web site operators and end users to benefit from DNSSEC, the standard must be supported at every level of the DNS heirarchy.

At the top of this heirarchy, the DNS root servers will support DNSSEC on July 1.

Next are the registries that operate the back-end servers for the various top-level domains. The registries have announced rolling deadlines for their DNSSEC deployments: .org and .edu in June; .net in December; and .com by March 2011.


However, none of the top 10 domain name registrars in the United States has committed to a deadline for deploying DNSSEC.

It will be difficult for small businesses, including a lot of small e commerce companies, to adopt DNSSEC if their registrar has not adopted.

One would think they would be motivated to provide this service as it could be a revenue enhancement and a competitive advantage for them - sign up for a web site and have it authenticated. It would be great for their customers.

Afilias, a top level domain operator (.org, .info, .mobi, etc.) and registry, provides a "1 click DNSSEC service". Comcast and others are moving ahead with DNSSEC services. So there are alternatives.

But the key to rapid and widespread deployment at low cost is for registries to offer this service. Industry must take the lead and not have this forced by regulation.

Posted at 03:18 AM |

Technorati Tags: , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a0105358317d8970c0120a96b2468970b

Listed below are links to weblogs that reference The USA is behind in DNS security:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

CISO

Scan your networks now, make sure your DNS servers are responding well,and make sure they do NOT answer to anyone at the world,
it is important part in security and most admins forget it...
http://sites.google.com/site/dnslocator/

Posted by: CISO | 03/30/2010 at 02:59 PM

The comments to this entry are closed.

Enter your email address:

Delivered by FeedBurner

About Steve Goodbarn

Categories

Steve's Blogroll

Archives

Disclaimer

  • All views and opinions expressed on this blog belong to me, the author, and are not those of any current or past employers, investors, or anyone else.
Blog powered by TypePad