Dot-com domains still lack DNSSEC security

The new security extensions for DNS were enabled on the .com domain, but none of the 100 most popular sites has upgraded

By Keir Thomas, PC World |  Security, DNSSEC

Alternatively you can visit VeriSign Labs' DNSSEC debugger and search. Or, if you're using Linux or a Mac, open a terminal window and use the dig +dnssec command, followed by the domain; to check, for example, you'd type dig +dnssec Look for an RRSIG line in the results. If it's not there, DNSSEC hasn't been added to that domain. (Windows users can download the dig tool to use at the command line.)

Beware that the public DNS services offered by Google and OpenDNS both appear to strip out the DNSSEC components of DNS records at the present time, which isn't entirely helpful if DNSSEC is to become mainstream.

Admittedly, adding DNSSEC to some domains is not trivial. Consider Google, for example, which uses astonishingly sophisticated load-balancing to ensure everybody worldwide can always get a speedy response. However, as mentioned, DNSSEC isn't a bolt out of the blue. There's been time to put a plan in place.

In a statement, Google told me that they "think that DNSSEC is important," and that they're actively looking into it, but declined to give details of when, how, or even if it will happen.

Ultimately, upgrading to DNSSEC is a series of chicken-and-egg situations. Nobody in the chain, from end-user to Website operators, is compelled to make any changes right now.

For example, I run a handful of Websites but the hosting service I use doesn't yet offer DNSSEC, so I can't upgrade even if I wanted to. The hosting service probably won't offer DNSSEC until people like me start demanding it.

Even once it's available, I'll have to think hard about implementing DNSSEC because it'll add a small but significant cost to running a Website, not to mention complexity. However, the cost could be folded into domain registration fees, removing this cost for all but the bottom-dollar registrars.

Upgrading my domains to DNSSEC at the moment is an academic exercise, because very few DNS resolvers offered by ISPs around the world support DNSSEC. In other words, I can make the switch but it would make no difference to visitors. So, why should I?

It's hard to figure out who can break this status quo. It almost certainly won't be a grassroots effort; end users might question why they need DNSSEC. Doesn't HTTPS already do that job? (Answer: Yes, but the system is falling apart at the seams.)

Originally published on PC World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

Ask a Question