News

Tools, services emerge for enterprise DNSSEC adoption

Robert Westervelt, News Director

Tools, services and other resources are available for enterprise DNSSEC adoption, but for now experts agree that it could take years before support of the technology is more widespread.

    Requires Free Membership to View

Network managers aren’t feeling enough pain, and as a result they aren’t moving to DNSSEC.

Lawrence Orans, research director at Gartner Inc.

Domain Name System Security Extensions (DNSSEC) contains protocols that add an encryption layer to DNS and security experts have praised the specifications as a way to boost security by eliminating forged DNS data used in cache poisoning and man-in-the-middle attacks.  Top-level domains, including .org, .net and .gov, have been signed to support the specifications. VeriSign signed the .com top-level domain in April.

Comcast Corp. announced this week that it was one of the first ISPs in North America to fully run the DNSSEC protocol as part of its services. PayPal is one of the first enterprises to secure its domains with DNSSEC, but it’s unlikely many other enterprises will jump at the chance of becoming early adopters, said Lawrence Orans, research director at Stamford, Conn.-based Gartner Inc. Gartner has predicted that by 2014 no more than 30% of DNS lookups will be verified by DNSSEC. The risk of attack has to be high enough before adoption gains momentum, he said. 

“Network managers aren’t feeling enough pain, and as a result they aren’t moving to DNSSEC,” Orans said.  “We’re just not seeing a lot of interest from enterprises.”

Nonetheless, vendors are stepping up with technology to support the transition to DNSSEC. Thales Information Systems Security, which sells hardware security modules (HSMs), has already supported DNSSEC for early adopters using OpenDNSSEC open source software. This week, the company announced a partnership with Infoblox, adding support and automated features to simplify the deployment process. ISPs, hosting providers and domain registrars are currently the target level of adopters for DNSSEC, said Richard Moulds, vice president of product management and strategy at Thales.
 

“Anyone deploying DNSSEC has to make decision on what level of assurance they want,” Moulds said.  “The highest links in the chain always use a HSM. Unlike database encryption, which is a personal decision about risk management, when we’re talking about DNS, every organization is playing a role in that chain of trust and that’s why your obligation is to follow the best practices.”

A company enabling DNSSEC has a choice between software or hardware approach to key management or can turn over most of the management capabilities to a DNS service provider or domain registrar. Thales hopes its customers, mainly financial firms, will take the leap into DNSSEC using the hardware-based approach. 


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: