How to Simplify DNSSEC Adoption
Any company with an online presence — that is, every organization — is vulnerable to attacks that compromise the DNS. DNS attacks can disable a website, compromise and alienate customers, and hurt the bottom line.
DNSSEC is an important defense measure to mitigate DNS vulnerabilities. Despite increasing attention from cyber-security agencies and IT security operators, enterprise adoption of DNSSEC has been historically low.
The biggest barrier to DNSSEC adoption is the amount of management effort it requires. DNSSEC management is challenged by the consequences of human error. Effective DNSSEC deployment involves a digital chain of trust comprised of domain owners, registries, registrars, and managed DNS service providers. Each player in the chain controls components that must be coordinated for DNSSEC to properly secure the DNS over the lifecycle of a domain. For most IT organizations, this level of human work effort and attention to detail can be daunting.
DNSSEC validation requires looking up every RRSIG and DNSKEY at regular intervals to verify their status. This process is typically manual, unwieldy and ineffective. Companies have either avoided it, resisted it, or implemented it incorrectly. Independent audits confirm that DNSSEC is non-functional in many cases, even in organizations that believe it’s been implemented correctly. Whether DNSSEC is absent or incorrectly configured, the outcome is the same: A company’s web presence, brand reputation, online identity, and customers are open to DNS man-in-the-middle compromises.
Protecting your DNS network does not have to be an overwhelming or unreliable task. DNSSEC management can be repetitively simple once organizations eliminate administrative complexities and risks of human error. Here’s how to make the DNSSEC deployment process simple and easy from initial assessment to complete coverage.
1. Assess Your DNS Security Posture
DNSSEC exists as part of an organization’s overall domain and DNS environment. Having a clear picture of the details is critical. Conduct an APEX-level audit to assess the status of your DNS network. Determine the number and identity of all domain registrars and DNS providers, along with the pass/fail status of DNSSEC, as well as other security measures including: DMARC, SPF, DKIM, and TLS/SSL certificates on all domains and re-direct domains. A thorough audit report is the first essential step in identifying DNS security weaknesses, with a functional status check of DNSSEC across your domain portfolio.
2. Create Policies and Controls
Every domain and its associated DNS zone files require common compliance policies, including rules for DNSSEC. Organizations should codify the policy such that every domain (out of hundreds or thousands) is subject to consistent security standards. Without a systematic approach to managing the chain of trust, domains and the DNS become exposed to errors, omissions and vulnerabilities. Inconsistencies in the use of Start of Authority (SoA), SPF, DMARC, and DNSSEC are gaps in your DNS security posture that malicious parties actively target and exploit.
3. Consolidate to a Single Platform
More companies would use DNSSEC successfully if it were not so complex. The easiest way to expedite adoption is to minimize the parties involved and automate the processes. Rather than relying on multiple domain registrars and DNS providers, consolidate to a single service (plus one backup DNS service) with automation tools that support DNSSEC. In this way, organizations gain a centralized platform for managing DNS security and an ongoing, top-down view of their online security posture. Companies will still need to be proactive about managing DNSSEC. However, the effort becomes vastly easier once the process is consolidated on a single provider.
4. Implement Unified Change Management
Adopting DNSSEC is a major step towards protecting the DNS network, but it’s not a panacea. The DNS is complex and dynamic by nature, requiring regular updates and additions. Zone file edits, TLS certificate updates, and domain status changes happen daily. Any single change made by a permissioned user or nefarious party can open a vulnerability, often without the knowledge of IT administrators. A unified DNS control system with automated, tamperproof change-management capabilities eliminates work effort while locking down DNS security. Bringing all aspects of change management under a single source of truth ensures that errors, omissions, and oversights don’t compromise a critical component of cybersecurity.