Tools, services and other resources are available for enterprise DNSSEC adoption, but for now experts agree that it could take years before support of the technology is more widespread.
Network managers aren’t feeling enough pain, and as a result they aren’t moving to DNSSEC.
Lawrence Orans, research director at Gartner Inc.
Domain Name System Security Extensions (DNSSEC) contains protocols that add an encryption layer to DNS and security experts have praised the specifications as a way to boost security by eliminating forged DNS data used in cache poisoning and man-in-the-middle attacks. Top-level domains, including .org, .net and .gov, have been signed to support the specifications. VeriSign signed the .com top-level domain in April.
Comcast Corp. announced this week that it was one of the first ISPs in North America to fully run the DNSSEC protocol as part of its services. PayPal is one of the first enterprises to secure its domains with DNSSEC, but it’s unlikely many other enterprises will jump at the chance of becoming early adopters, said Lawrence Orans, research director at Stamford, Conn.-based Gartner Inc. Gartner has predicted that by 2014 no more than 30% of DNS lookups will be verified by DNSSEC. The risk of attack has to be high enough before adoption gains momentum, he said.
“Network managers aren’t feeling enough pain, and as a result they aren’t moving to DNSSEC,” Orans said. “We’re just not seeing a lot of interest from enterprises.”
Nonetheless, vendors are stepping up with technology to support the transition to DNSSEC. Thales Information Systems Security, which sells hardware security modules (HSMs), has already supported DNSSEC for early adopters using OpenDNSSEC open source software. This week, the company announced a partnership with Infoblox, adding support and automated features to simplify the deployment process. ISPs, hosting providers and domain registrars are currently the target level of adopters for DNSSEC, said Richard Moulds, vice president of product management and strategy at Thales.
“Anyone deploying DNSSEC has to make decision on what level of assurance they want,” Moulds said. “The highest links in the chain always use a HSM. Unlike database encryption, which is a personal decision about risk management, when we’re talking about DNS, every organization is playing a role in that chain of trust and that’s why your obligation is to follow the best practices.”
A company enabling DNSSEC has a choice between software or hardware approach to key management or can turn over most of the management capabilities to a DNS service provider or domain registrar. Thales hopes its customers, mainly financial firms, will take the leap into DNSSEC using the hardware-based approach.