Any company with an online presence — that is, every organization — is vulnerable to attacks that compromise the DNS. DNS attacks can disable a website, compromise and alienate customers, and hurt the bottom line.
DNSSEC is an important defense measure to mitigate DNS vulnerabilities. Despite increasing attention from cyber-security agencies and IT security operators, enterprise adoption of DNSSEC has been historically low.
The biggest barrier to DNSSEC adoption is the amount of management effort it requires. DNSSEC management is challenged by the consequences of human error. Effective DNSSEC deployment involves a digital chain of trust comprised of domain owners, registries, registrars, and managed DNS service providers. Each player in the chain controls components that must be coordinated for DNSSEC to properly secure the DNS over the lifecycle of a domain. For most IT organizations, this level of human work effort and attention to detail can be daunting.
DNSSEC validation requires looking up every RRSIG and DNSKEY at regular intervals to verify their status. This process is typically manual, unwieldy and ineffective. Companies have either avoided it, resisted it, or implemented it incorrectly. Independent audits confirm that DNSSEC is non-functional in many cases, even in organizations that believe it’s been implemented correctly. Whether DNSSEC is absent or incorrectly configured, the outcome is the same: A company’s web presence, brand reputation, online identity, and customers are open to DNS man-in-the-middle compromises.
Protecting your DNS network does not have to be an overwhelming or unreliable task. DNSSEC management can be repetitively simple once organizations eliminate administrative complexities and risks of human error.