DNSSEC still mystery to many

Rod Rasmussen

An Internet technology aimed at making access to websites more secure is a mystery to many corporate IT security experts.

That's what surveyors from Internet Identity (IID), of Tacoma, WA, and the Online Trust Alliance discovered when they polled security pros about domain name system security (DNSSEC), a standard designed to protect Internet users from getting misdirected to unintended Net destinations by ensuring domain names remain unchanged in transit.

Some 50 percent of security experts surveyed between January 17 and March 28 had never heard of DNSSEC or didn't understand it.

“This survey provides key insight into the market’s knowledge (or lack thereof) regarding DNSSEC, and what the future may hold with the security standard,” IID President and CTO Rod Rasmussen said in a statement.

“Perhaps unsurprisingly," he continued, "about half of all respondents do not have a clear understanding of the technology or its benefits, indicating the industry still has its work cut out. However, those who have familiarity with DNSSEC seem to understand its key benefits and current challenges, which is promising for eventual adoption.”

For DNSSEC to work, it needs to be embraced by the online ecosystem—browser makers, registrars and business community, maintained Online Trust Alliance Director and President Craig Spiezle.

 “We are encouraged by the adoption of leading government sites and look forward to working with industry leaders including IID to develop tools, resources and prescriptive advice to accelerate adoption with leading banking and ecommerce sites,” he added.

The Internet’s root servers at the top of the DNS hierarchy added DNSSEC support last July. More than 25 top-level domains—including .gov, .org, .edu and .net—have enabled DNSSEC since then. On March 31, DNSSEC was enabled on the .com top level domain (TLD), which has more than 80 million registered names, according to its operator, VeriSign.

Among the champions of DNSSEC is the operator of Europe's TLD, EURid. It is launching a new service in this year's third quarter that will make it easier for registrars to implement the standard. It's also conducting complementary training seminars across Europe to boost the registrars' confidence in working with the system.

That's not to say that DNSSEC doesn't have its detractors. Melih Abdulhayoglu, CEO of Comodo, which issues certificates used by web browsers to authenticate websites, argued that DNSSEC "is a '90s idea that didn't even work in the '90s and is not practical today."

Last year, Comodo submitted to the Internet Engineering Task force a security scheme called Certification Authority Authorization (CAA), which Abdulhayoglu argues will address some of the problems DNSSEC was created to address.

"The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the certificate signing  certificate(s) authorized to issue certificates for that domain," the task force explained in a document posted online March 9. "CAA resource records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate misissue."