Pei Ling Hoo - Fotolia

Get started Bring yourself up to speed with our introductory content.

Is a DNSSEC implementation an enterprise necessity?

While there are numerous security benefits to a DNSSEC implementation, there are drawbacks as well. Expert Kevin Beaver explains.

There has been some controversy around the DNSSEC protocol's ability to protect against online threats. What are...

the pros and cons of DNSSEC implementations? Are there any other protocols or DNS security options that should be used instead?

With all the recent high-profile security vulnerabilities and related breaches, vendors, researchers and government agencies are quick to rush forward with solutions.

Domain Name System Security Extensions (DNSSEC), which was first proposed in 1997, didn't become popular until the DNS cache poisoning bug was uncovered by security researcher Dan Kaminsky nearly a decade ago. Like PKI, single sign-on and many other broad-reaching security controls, DNSSEC has struggled to get off the ground.

It's easy to understand the value of DNSSEC implementation: It helps ensure you're communicating with the network hosts you assume you're communicating with. However, its downsides have been made clear as well: complexities and costs. In fact, many people in IT are not even familiar with it -- nor do they know whether or not they need it.

As more time passes, I believe we will certainly see and hear more about DNSSEC implementations -- at least at the highest levels of the domain name system. As for it being a must-have enterprise security control today? I'm not convinced, but everyone has their own unique environment and assessment/tolerance of security risks.

The way I see it, the real security problems in most organizations don't even require going down the path of implementing technologies and controls such as DNSSEC. Instead, the solutions to most security problems are right before your eyes. It's the low-hanging fruit -- such as weak passwords, unpatched systems and human gullibility -- that are continually ignored by the smallest of startups to the largest of enterprises and their business associates.

Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)

Next Steps

Learn how to get started with a DNSSEC implementation

This was last published in September 2015

Dig Deeper on IPv6 security and network protocols security