"Very few people are in a position where they have a domain that they want to sign and can't," Larson admitted.
Larson added that U.S. businesses also are slow at adopting DNSSEC on their recursive DNS servers, which process DNS lookups for their employees.
"ISPs and enterprises are not validating DNSSEC queries," Larson said. "There's a lack of awareness that we are seeing among ISPs and enterprises that run their own DNS recursive servers...People don't perceive a pressing need."
Comcast Leads DNSSEC Charge
One company that's bucking the trend is Comcast, which said last week that it is providing DNSSEC resolution services to all of its 20 million residential customers in the United States.
"For a year or two, we've been hearing that it's a chicken-and-egg problem with DNSSEC deployment," says Jason Livingood, vice president of Internet Systems with Comcast. "There wasn't an incentive for companies to sign their domain names without eyeball networks having resolvers. We are offering a certain amount of scale in terms of breaking that chicken-and-egg problem and getting some momentum in [DNSSEC]."
The Comcast news that it is supporting DNSSEC is "huge," Larson says. "It's very significant because it shows that the biggest ISP in the U.S. can enable DNSSEC and the world didn't end. There's a worry that DNSSEC will bury help desks in issues, but that hasn't happened."
Comcast uses DNS software from Nominum for its DNSSEC services. Comcast said it has been working on its DNSSEC deployment since 2008, when the Kaminsky vulnerability became well known.
Livingood says Comcast's DNSSEC upgrade wasn't that expensive but required engineering time for software upgrades and testing. He says Comcast deployed DNSSEC at the same time as it was upgrading its DNS infrastructure to support IPv6, the next-generation of the Internet Protocol.
"We significantly upgraded the entire DNS infrastructure over the past two years -- hardware, software and network connectivity -- both to handle DNSSEC and generally speaking larger packet sizes as well as IPv6," Livingood says. "We deployed very, very carefully because we are such a large and high-volume DNS platform. Even a small increase in query response time could result in our customers feeling like the Internet was slow."