Pei Ling Hoo - Fotolia
There has been some controversy around the DNSSEC protocol's ability to protect against online threats. What are the pros and cons of DNSSEC implementations? Are there any other protocols or DNS security options that should be used instead?
With all the recent high-profile security vulnerabilities and related breaches, vendors, researchers and government agencies are quick to rush forward with solutions.
Domain Name System Security Extensions (DNSSEC), which was first proposed in 1997, didn't become popular until the DNS cache poisoning bug was uncovered by security researcher Dan Kaminsky nearly a decade ago. Like PKI, single sign-on and many other broad-reaching security controls, DNSSEC has struggled to get off the ground.
It's easy to understand the value of DNSSEC implementation: It helps ensure you're communicating with the network hosts you assume you're communicating with. However, its downsides have been made clear as well: complexities and costs. In fact, many people in IT are not even familiar with it -- nor do they know whether or not they need it.
As more time passes, I believe we will certainly see and hear more about DNSSEC implementations -- at least at the highest levels of the domain name system. As for it being a must-have enterprise security control today? I'm not convinced, but everyone has their own unique environment and assessment/tolerance of security risks.
The way I see it, the real security problems in most organizations don't even require going down the path of implementing technologies and controls such as DNSSEC. Instead, the solutions to most security problems are right before your eyes. It's the low-hanging fruit -- such as weak passwords, unpatched systems and human gullibility -- that are continually ignored by the smallest of startups to the largest of enterprises and their business associates.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn how to get started with a DNSSEC implementation
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.