A similar survey conducted weekly by the National Institute of Standards and Technology indicates that only 10 out of more than 1,000 U.S. industry websites have fully deployed DNSSEC. DNSSEC pioneers include Comcast, Data Mountain Solutions, Infoblox, PayPal and Sprint. Another nine websites -- including those operated by Dyncorp, Simon Property Group and Juniper Networks -- demonstrated partial deployment of DNSSEC in the NIST survey.
"The tools and other functions are there to do [DNSSEC]," says Chris Griffiths, director of high-speed Internet engineering at Comcast, which deployed DNSSEC a year ago. "I know that other folks are looking at it. ... In general, people are in the planning stages and at this point they probably need to move that along."
Companies that show no signs of deploying DNSSEC read like a Who's Who of American Industry: Fifth Third Bancorp, Bank of America, Cardinal Health, Charles Schwab, Delta Air Lines, Disney, eBay, Target, WellPoint and Wells Fargo. Even high-tech leaders such as Apple, Cisco, Google, IBM and Symantec haven't deployed DNSSEC yet, the NIST survey shows.
"There are lots of products and services available that make DNSSEC deployment easy. I don't think that's the barrier," Beckett says. "Companies only have so much money to work on security initiatives. This is not the top one that people are focused on."
Universities, which are often at the cutting edge of network technology, are similarly slow at deploying DNSSEC. Of 346 university domains monitored by NIST, only 17 have fully deployed DNSSEC. Leaders include Bucknell University, University of California Berkeley and Indiana University. Laggards include Harvard University, Yale University and Princeton University.
The only sector in the United States that is deploying DNSSEC is the federal government, which is required by law to do so. Federal agencies were under a mandate from the Office of Management and Budget to have supported DNSSEC by Dec. 31, 2009.
Recent surveys show the majority of U.S. federal agencies have met that mandate: