Reasons to Deploy DNSSEC

Article Recently Posted on Dnssec.net

Mark Beckett is VP Marketing at Secure64 Software Corporation, a company that develops appliances for automating the implementation and management of domain name system security extensions (DNSSEC).

(Date added: August, 2008)

To those individuals that have been involved in the effort to secure the DNS since its inception, reviewing its progress to date can be depressing. Ten years, numerous RFCs and thousands of man-years later, what do we have to show for it? Miniscule adoption across the globe.

To some, this is a dismal failure. I disagree. I think we are right on track.

DNSSEC is no different than any other technology exhibiting a network - effect that is, a technology whose value increases with the number of organizations that adopt it. Think telephones, fax machines, and the Internet itself. What do we know about the adoption of these technologies?

  • Adoption over time follows an S curve in which it takes a long time to reach very small penetration, but once a certain critical mass point is reached, adoption accelerates rapidly, ultimately reaching almost 100%.
  • It can take many years to get to critical mass, but the amount of time to get there is not a reliable indicator of the technology's ultimate success.
  • Adoption initally occurs in smaller communities that can derive benefit from the technology. These small communities provide the catalyst to reach the critical mass point.
  • The lower the cost of adoption, the faster we get to critical mass.
We are now at the point where individual communities can deploy DNSSEC at a reasonable cost, derive significant benefits, and start to propel us towards that critical mass point. Here is why:
  • Awareness of DNS security issues is at an all time high. The recent DNS vulnerability disclosure and subsequent worldwide patching effort has emphasized just how critical the DNS infrastructure is. And the patch is advertised as a stopgap measure until we get DNSSEC in place.
  • Validating caching server deployment costs are down. Thanks to the recent DNS patching effort, we are now running DNSSEC-ready caching servers in virtually every one of the world's major ISPs and enterprises. The only remaining caching-side costs involve turning DNSSEC on (a one line configuration change) and seeding it with at least one trust anchor. So far, neither the administrative overhead of managing a single trust anchor nor the computational overhead of DNSSEC validation has proven to be a significant hurdle to overcome.
  • Zone signing costs are down. Commercial products are now available that automate key management, key rollover and zone signing, greatly decreasing the cost and risk associated with manual key management and zone signing. This makes it possible for organizations to deploy DNSSEC in days or weeks rather than months or years.
  • Privacy concerns due to zone walking are addressed. NSEC3 is now an RFC (5155) and is supported by both open source tools and commercial products.
  • We don't need to wait for the root to be signed. A single ccTLD trust anchor is all that is required to secure many of the DNS transactions that occur within a country (the U.S. being the single exception to this rule). Similarly, a large enterprise can deploy its own trust anchor to its caching servers in order to fully secure its internal DNS.
  • Momentum is building. DNSSEC is already deployed within Sweden, Brazil, Bulgaria and Puerto Rico. This list of ccTLDs will undoubtedly grow as the next wave of adopters moves from test systems to production. In fact, 85% of ccTLD registries surveyed in October 2007 planned to deploy DNSSEC, and 45% of these planned to deploy within two years.

Does this mean that we are done? Of course not. Yes, we want the root to be signed. Yes, we want end-to-end security. Yes, we want more automated ways to maintain chains of trust. But with these recent developments, real progress can now be made. These early successes will lead to more adoption, ultimately propelling us to that point of critical mass and beyond where eveyone connected to the Internet enjoys the trust that DNSSEC can provide.

Source: dnssec.net

About Secure64 Software Corporation
Secure64® is a software developer providing highly secure DNS and server applications with built-in denial-of-service protection features to help ensure your Internet-dependent business is always accessible. Based on the genuinely secure SourceT® microOS, Secure64 DNS remains highly available during network attacks and is immune to compromise from rootkits and malware.