One sign that DNSSEC adoption is inevitable for ISPs and enterprises is that the emerging security standard is required for the hundreds of new top-level domains that are being considered by the Internet Corporation for Assigned Names and Numbers (ICANN).
"DNSSEC is the new minimum that's expected for domain name registrars,'' Larson says, adding that Verisign will start cryptographically signing the .cc and .tv domains in 2012.
ISPs and enterprises that choose not to adopt DNSSEC in 2012 will remain vulnerable to Kaminsky-style attacks, cybersecurity experts warn.
"To some extent, this has been an issue of: Why should we sign if no one can validate the signatures?" Livingood says. "Now that almost 20 million households can validate, it starts to change that calculus."
Read more about wide area network in Network World's Wide Area Network section.