So another milestone was reached today, the “.com” domain finally got signed with the DNS Security Extensions (DNSSEC) and can now offer secure, authenticated responses. “Whoopee!” you might be thinking, but for the people who help make the Internet work this is a big deal as it adds 100% trust to the largest Internet domain on the planet (well, 100% trust for signed .com sub-domains anyway).
Unfortunately it seems very quiet out there, with very few announcements about this. Even Twitter is not that busy with the news.
Yesterday, a survey was published that canvassed “corporate IT security experts” which resulted in some quite interesting findings, such as:
1) 50 percent of respondents have never heard of DNSSEC or don’t understand it clearly.
2) Of those who are familiar with DNSSEC, a vast majority correctly identified the key benefits for the technology. When asked, “What is the purpose of DNSSEC,” the number one answer was to, “Prevent cache-poisoning attacks at recursive nameservers (e.g. your ISP).”
3) Of those surveyed, only one percent acknowledged their organization has experienced losses to date due to cache poisoning attacks.
4) The majority of respondents believe it will take two to five years for DNSSEC to become widely adopted in their industry, and all believe that adoption is inevitable.
5) Only five percent of those polled said their organization has already implemented DNSSEC for their domains, while an additional 16 percent plan to implement it.
6) According to those surveyed, the two biggest overall obstacles to DNSSEC adoption today are Internet Service Provider deployment of DNSSEC resolvers and DNSSEC-aware client applications like browsers and email.
7) When asked about the biggest roadblock to individual DNSSEC adoption, the number one answer was, “Not enough vendors offering services to implement it.”
8) That said, many respondents plan to implement it themselves. In response to “Who would you choose to provide a DNSSEC PUBLISHING (authoritative records and key management)” and “Who would you expect to be able to provide a DNSSEC resolving (running recursive nameservers my employees use) implementation for your organization?,” a preponderance of respondents answered, “My own internal IT staff.”
This just goes to show that DNSSEC has got some way to go yet before it’ll be in widespread use. Seems like people are just shrugging their shoulders.
I think one of the problems is the sheer complexity of it – you can tell it has been invented by geeks by the numerous different parameters involved.
I don’t think people really care what hash algorithms are used, how many bits are used in the keys or what key rollover schemes are used, they just want a big fat button that says “Just do it!” 🙂
More info here: