How Widespread is DNSSEC?

DNSSEC promises a lot, but just how many domains are actually using it?

By Sean Michael Kerner | Posted Aug 26, 2009
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

In the summer of 2008, the Internet was rocked by the revelation that the Domain Name System (DNS), one of the core infrastructures of the Internet, was vulnerable to attack.

The ultimate solution to the DNS vulnerability is a technology that has been available since at least 2004, called DNSSEC (DNS Security Extensions).

How many domains are actually DNSSEC-secured today? That's a difficult question to answer, but one that InternetNews.com set out to discover. With tens of millions of domains potentially at risk, only a small percentage to date are actually DNSSEC-secured.

At the top level of the Internet, among what are commonly referred to as the gTLD (generic top level domains) of .com, .net and .org, only the .org gTLD has been signed for DNSSEC security.

VeriSign controls .com and .net while the Public Interest Registry (PIR) controls .org. VeriSign did not respond to InternetNews.com's query about the current status of DNSSEC deployment at press time.

On the other hand, the .org domain space was officially signed for DNSSEC in June of this year. However, having the .org gTLD is just the first step. Since June, individual domains have migrated to the platform for a beta test. While there are millions of .org domains, to date only a small number have been signed.

"PIR has signed approximately 25 .org domains with DNSSEC as part of its beta test phase," Lauren Price, senior product marketing manager at PIR told InternetNews.com. "We are manually inserting the DS records into the zone. In addition, we have the contact data for all of the domain owners in our beta test phase. PIR will work closely with each domain holder through every phase of the testing to mitigate risks and capture lessons learned."

Price added that with the phased beta period, the plan is not to sign a large number of domains. The focus is instead on having a reasonably sized set of test domains to provide a quality testing experience.

Network infrastructure vendor Afilias provides the back-end for .org and also has a number of other TLD initiatives underway for DNSSEC.

"We have a DNSSEC test bed running now for the .IN registry (India)," Howard Eland, senior director of resolution services at Afilias, told InternetNews.com. "We also provide secondary DNS for Sweden (.SE), which is a signed zone, as well as secondary DNS for ISC's DLV effort."

Eland declined to provide specific numbers for the .IN and the .SE registries, in terms of how many domains are currently secured today. DLV, the DNSSEC Look-aside Validation technology is another story.

Read the rest at InternetNews.com.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter