The Challenges of Deploying DNSSEC
Why Is DNSSEC Adoption So Low?
DNS Security Extensions (DNSSEC) are a proven security measure to defend against DNS hijacking, yet surprisingly few organizations have deployed it. Those that have deployed often fail to ensure it’s actually working on the domains they believe to be covered.
Poor enterprise DNSSEC adoption is a serious concern to Internet security experts. Confusion, complexity, and incompatibility are likely barriers to organizations adopting comprehensive DNSSEC deployment policies. DNSSEC was developed in the 1990s yet much of the internet infrastructure does not support it. Fewer than 20% of all DNS services support DNSSEC.
A paltry 3% of the Fortune 1000 have protected their principal corporate website domains with DNSSEC. And when it’s nominally deployed, it often doesn’t work: More than 30% of secured domains are misconfigured, according to APNIC. The reason for anemic adoption rates may be that expediency has won out over security.
DNSSEC requires compatible connections between domain registrars, DNS services, and the domain registry. Organizations tend to use multiple DNS services and registrars, making DNSSEC incompatible across their networks. When considering the effort of consolidating DNS services to a single, DNSSEC-compatible provider, organizations will often choose the least-resource-intensive path. A DNS consolidation project may be viewed as a tangible cost against the hypothetical risk of DNS compromise.
DNS hijacking incidents in many forms e.g. DNS spoofing and Man-in-the-Middle, are on an alarming rise, prompting global security alerts from the U.S. Department of Homeland Security and others. With DNSSEC high on the list of expert recommendations to defend against the DNS attack threat, organization need to seriously rethink their reluctance to deploy.
Companies that collect large amounts of sensitive data should make DNSSEC mandatory. Organizations in finance, e-commerce, social networking, and IT are the most frequent targets of attacks, such as hijacking and cache poisoning. In these industries, the negative consequences of DNS compromise include privacy breaches and financial loss to end users and customers.
Barriers to Adoption
For many organizations, DNSSEC is simply not well understood. That’s due in part to its inter-reliance on a complex chain of trust. The chain involves four parties:
- Domain owner or registrant (the brand)
- Domain registrar (company from whom the domain was purchased)
- DNS service provider
- Domain registry (such as Verisign, the registry that manages all .com domains).
Managing the chain of trust across four levels is all the more challenging given most organizations have more than one registrar and dozens of DNS services. With so many players on the board, it’s easy to see why DNSSEC tests often fail in organizations that believe they’ve implemented correctly. When brand organizations are stalled in adopting DNSSEC, the barriers can be both internal and external.
DNS security vulnerabilities are common because companies often lack the required staff expertise to effectively secure their DNS.
Correct DNSSEC implementation demands a huge input of time and staff resources owing to the manual administrative steps required. Every domain protected by DNSSEC requires a digital signing key that changes annually. When companies have hundreds (or thousands) of domains hosted on multiple vendor platforms, updating keys and performing other critical maintenance requires significant effort. Real-world budget and staff limitations can place onerous demands on teams engaged in the detailed processes DNSSEC deployment requires. Because the DNS is so hard to manage, security often suffers.
Most companies use multiple DNS providers and many of them present barriers to DNSSEC adoption. Amazon’s AWS Route 53 for example, is a market leading DNS service that doesn’t support DNSSEC. Organizations that are serious about DNSSEC have no choice but to consolidate registrars and DNS services to compatible vendors.
The internet chain of trust puts customers’ online sessions with companies at the mercy of DNS services and routes, SSL certificate authorities, domain registrars, and ISPs – even before hitting an organization’s digital network. DNSSEC goes a long way to assuring chain of trust integrity.