Dot-com domains still lack DNSSEC security

The new security extensions for DNS were enabled on the .com domain, but none of the 100 most popular sites has upgraded

By Keir Thomas, PC World |  Security, DNSSEC

It's been over two weeks since the DNS Security Extensions (DNSSEC) system was turned on for .com domain names. This is an end stage for a process that will one day let surfers be 100% confident they're accessing the site they think they are, and have not been diverted by hackers.

In those two weeks, various network engineers have probably been working like crazy to add the necessary DNSSEC extensions to their domain names...right? After all, it's not as if DNSSEC has come out of nowhere. It's been in discussion since the last century, with VeriSign indicating early in 2009 that it would switch .com by 2011.

Care to guess how many of the .com domains within the Top 100 most popular Website list, as mentioned in a BBC News article last year, are currently making use of DNSSEC for their .com domains?

None.

Actually, that's not quite true. The Mozilla.com domain doesn't use DNSSEC but Mozilla.org does, and that's what most of us visit. So, well done Mozilla! And boo shucks to virtually every other online business at the moment. (And an additional shout-out for network infrastructure company Infoblox, which alerted me to the fact that DNSSEC take-up hasn't exactly been a gold rush, pointing out they were among the first 200 .coms to make the move.)

How about the top 10 U.S. banks, including Bank of America, JP Morgan Chase, Citigroup, Wachovia? After all, it's with online banking that DNSSEC is really needed.

Not one is yet secured with DNSSEC, as far as I can tell.

You can test DNSSEC usage for yourself using the DNSSEC Validator extension in Mozilla Firefox. (Search the add-ons gallery to find it.) This will display a key symbol alongside the Website address, should you access any domain that's been signed via DNSSEC. Ideally the padlock should be green but it'll probably be orange because very few DNS resolvers used by ISPs are themselves upgraded to DNSSEC, and therefore can't yet conclusively prove sites are genuine.


Originally published on PC World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question