DNSSEC Adoption is Slow for Government Agencies

Even though more than two years have passed since federal government agencies were required to support DNS Security Extensions (DNSSEC) on their web sites, only 57 percent of agencies have met these requirements. In other words, about 40 percent of federal agencies have not secured their domains to protect users from domain name hijacking and cache poisoning attacks.

As this Network World article explains, DNSSEC solves a fundamental flaw in the DNS that makes it possible for hackers to launch cache poisoning attacks, in which user connections are hijacked and traffic is redirected from a legitimate website to a spoofed one. DNSSEC prevents these cache poisoning attacks by using digital signatures and public-key encryption to allow web sites to verify their domain names and corresponding IP addresses, ensuring that visitors are viewing a legitimate site and not a fake one. DNNSEC protects users from pharming, cache posioning, and DNS hijacking.

It’s up to individual federal Web sites to deploy DNSSEC in order to secure the government’s web traffic. Under an Office of Management and Budget mandate issued in August 2008, federal agencies were required to support DNSSEC on their websites, with a compliance deadline of December 31, 2009. But it hasn’t happened.

A study conducted on March 11 by the National Institute of Standards and Technology (NIST), estimated that 59 percent of federal agencies are running DNSSEC on their Web sites. The NIST study of 1,595 Web sites shows that of the other 41 percent of federal agencies, 7 percent appear to be in the process of deploying DNSSEC.

We conducted a similar study on March 2 that showed only 57 percent of the 359 federal government websites tested had deployed DNSSEC. Of these agencies, 78 percent have established the chains of trust necessary to validate the signatures. Although our findings indicate marginal improvement–a year ago, a study of the same 359 agencies found that a full half of federal Web sites hadn’t deployed DNSSEC–progress is slow:

DNSSEC is “not on anyone’s radar screen,” says Ray Bjorklund, Chief Knowledge Officer at Deltek, a federal IT market research firm. “I don’t know whether it’s inattention by the government, or the government generally believes that it has enough other security measures in effect that this is not going to cause a problem,” he says. “But federal CIOs need to understand that government sites can be hijacked. If agencies aren’t paying attention to this, they should.”

The Treasury Department and its subsidiaries, including the Internal Revenue Service, have made notable progress over the past year. While the Department of Homeland Security and the White House have deployed DNSSEC, the Defense Department and the CIA appear not to have adopted the security measure yet. For the most part, the majority of cabinet-level departments are cryptographically signed, but some smaller sub-agencies are not.

As this article from SecurityWatch points out, in order to be fully effective, DNSSEC needs to be deployed on all the domains and subdomains. Because the DNS root zone and the .gov domain are cryptographically signed, agencies have to deploy DNSSEC for individual federal Websites in order to provide end-to-end security for the government’s Web traffic.

DNSSEC will likely become a more prominent topic this year, as major Internet service providers have committed to adopt voluntary DNSSEC recommendations from the FCC to secure their infrastructure and protect customers. And the NIST now requires that federal agencies must validate DNSSEC queries in their DNS resolution servers.

DNSSEC is definitely on our radar screen, and has been for a long time. Contact us to learn more about our secure DNS product suite.