Gain Top-Notch InfoSec Skills at SANS San Diego 2017. Save $200 thru 9/27.

SANS Security Trend Line

Waiting for {signed lookup of}

Back in the mid-1990's I worked at Trusted Information Systems in the commercial firewall side of the house. The government research side was doing DARPA work on "Integrated DNSSEC" - a more secure way of doing DNS lookups.

Flash forward to 2008 and Dan Kaminski exposes a fundamental flaw in the DNS protocol that enables cache poisoning, attacks ensue. By 2010 things were looking positive for DNSSEC, the only real way to stop those attacks. The government was mandating DNSSEC use for the .gov/mil domains, VeriSign was signing the .net and .com domains, etc.

In 2010 at Gartner Lawrence Orans and I made a prediction: "By 2014, 30% of all DNS lookups will be signed with DNSSEC" Hmmm, with about 9 months left until 2014, where are we?

Well, Google just announced that their public DNS service fully supports DNSSEC validation, sounds positive. But, Google also quoted some of their own statistics:

Currently Google Public DNS is serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day. However, only 7% of queries from the client side are DNSSEC-enabled (about 3% requesting validation and 4% requesting DNSSEC data but no validation) and about 1% of DNS responses from the name server side are signed.

Eek - at best Lawrence and I could claim the 7% number, but the 1% signed DNS response figure is probably more realistic. A long way from 30%. But maybe Google is just a nattering nabob of negativism - let's check the weekly NIST survey:

Oops - commercial domains seem to be running about 1%. Well, at least .gov has made some progress - up to almost 80%. Now, if only the federal government would worry less about new regulations and think more about using its buying power to require its suppliers to take simple security improvement steps like moving to DNSSEC...

So, bottom line is that prediction is very likely going to be proven very wrong. Why? I think it is mostly the "squirrel" syndrome, as attention shifted to high profile advanced targeted attacks and way, way too much focus on the who (China!) and not the how.

Here's something to look into: how much is your organization spending on Extended Verification SSL certificates? If you went back to regular certs from the lowest cost provider, how much of the cost of moving to DNSSEC would that cover? Doing that tradeoff might show you a very low cost way of making a meaningful increase in security.

Post a Comment


* Indicates a required field.