DNSSEC works best when it is fully deployed across the Internet: from the root zone at the top of the DNS heirarchy, to individual top-level domains such as .com and .net, down to individual domain names. Until that happens, Web sites remain vulnerable to Kaminsky-style attacks.
Also needed for DNSSEC adoption are ISP and enterprise networks that can resolve DNSSEC queries as well as browsers and other Web applications that inform users when validation fails.
Much of the DNS infrastructure is now ready to support DNSSEC queries, but ISPs and enterprises have been slow to adopt it.
The Internet's root zone was signed in mid-2010, which was the first step towards end-to-end DNSSEC deployment. Several key domains - including .gov, .org, .edu and .net - began cryptographically signing domains in 2010.
Most significantly for U.S. businesses, Verisign began signing .com in March of 2011. The .com domain is the most popular domain in the Internet, representing about 45% of the Internet's 220 million registered domain names.
But only a few e-commerce companies have upgraded their Web sites to support this security standard. One DNSSEC pioneer is PayPal, which announced in December that it is signing all of its domains.
Verisign estimates that there are only 5,500 signed .com names and 2,000 signed .net names out of a total pool of 112 million registered .com and .net names. That means only .006% of all .com and net names have adopted DNSSEC as of January 2012.
Another key component for widespread DNSSEC deployment is adoption by domain name registrars. For example, GoDaddy said last March that it could support DNSSEC for the 51 million domain names that it manages.
"As of January 1, 2012, there were 41 ICANN-accredited registrars that had enabled DNSSEC for at least one of the .com or .net domains they are responsible for,'' Larson said, adding that Verisign offers free signing services to its registrars to encourage them to adopt DNSSEC.
All of this means that the necessary Internet infrastructure pieces are in place for most U.S. companies to adopt DNSSEC -- but they haven't deployed it yet.