Half of federal Web sites fail DNS security test

By , Network World |  Security, DNS, DNS security

"We checked which ones of those Web sites were signed, which is the first step to deploying DNSSEC," says Mark Beckett, vice president of marketing and product management for Secure64. "Last year, that number was 20%. This year, that number is 49%."

2010 DNSSEC Survey 

Secure64's findings show progress on the DNSSEC front, with the number of federal agencies digitally signing their domains having more than doubled. "But if you think the government should be fully deployed by now, it's a disappointing number," Beckett added.

Secure64 examined only .gov domains, eliminating federal Web sites that end in .mil, .com or .org from its research because the OMB mandate only applies to .gov Web sites.

"The sample size is large enough that these numbers are very believable and conceivable with what we see out in the market," Beckett says.

Leaders in DNSSEC deployment include the State Department, which is 100% compliant, and the Department of Labor, which is 90% compliant, according to the Secure64 survey.

Among the agencies that appear to be lagging in DNSSEC deployment include the Treasury Department, which is signing only one of its dozen subdomains.

Beckett says agencies are even further behind in establishing a chain of trust with their parent domains, which is the second step in DNSSEC deployment after signing a DNS zone.

"Of the folks with signed domains...only about 20% have established a chain of trust with their parent," Beckett says. "The fact that more than half of the agencies have not yet signed and an even larger percentage haven't established their chain of trust tells you the difficulty for anybody - including federal agencies - in deploying this. It's evidence of the complexity of doing this."

Secure64 sells automated systems for DNSSEC deployment; a typical customer spends around $100,000 on their systems.

Other vendors sell DNSSEC services built into broader product suites, such as IP address management offerings from Infoblox and BlueCat Networks or load balancing systems from F5.

DNSSEC will continue to be in the news this year because VeriSign has committed to supporting the security technology in the .com domain in March. The Internet's largest domain, .com has more than 90 million registered domain names, according to the latest VeriSign Domain Name Industry Brief.

Originally published on Network World |  Click here to read the original story.
Join us:






SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question