Friday, March 30, 2012

Ingredients coming together for global DNSSEC deployment - are you ready?

It's been a year since .com was signed, which was a major step forward towards Internet community support for DNSSEC implementation given that nearly 45% of all Internet domains fall within the .com branch. I was curious how other top level domains (TLDs) were doing in this regard so I checked out the ICANN Research site for TLD signing statistics. As shown in the following summary table, 22.5% of TLDs were signed a year ago, while 29.1% are signed as of today. This 31% jump in signed TLDs represents good progress, but there's still a way to go to get to DNSSEC ubiquity in chains of trust to the root zone.
March 2011March 2012
TLDs in the root zone306313
TLDs signed6991
% TLDs signed22.5%29.1%

Another boost to DNSSEC deployment was announced last week in the form of a pending FCC recommendation that promotes the deployment of DNSSEC planned by several major ISPs. These ISPs will be implementing DNSSEC validation on their recursive servers, which their customers query for DNS resolution. That is, as their customers issue DNS queries to these ISP recursive servers, the servers will resolve the query and attempt to validate the query signatures up the chain of trust to the root (or other configured trusted key).

This ISP deployment of DNSSEC should protect broadband users from website hijacking and other DNS cache poisoning style attacks. That is if the websites these users are attempting to access are signed. With growing TLD adoption of DNSSEC and an expected jump in recursive servers validating queries via DNSSEC thanks to this ISP initiative, the way forward is clear if your TLD is signed. All you have to do is sign your Internet zones and provide your parent zone registrar with your corresponding Delegation Signer (DS) records to link you into the DNSSEC chain of trust.

I believe the hesitancy with DNSSEC implementation is more deeply rooted in the complexity of DNSSEC configuration and the burden of ongoing management requirements for key rollovers and refreshing signatures than in the lack of widescale DNSSEC deployment. In many cases, this lack of deployment has served as a legitimate barrier to implementation, but this will soon cease to be the case.

As for DNSSEC complexity, BT Diamond IP offers a simple solution to signing your DNS information and ongoing maintenance: the Sapphire Sx20 appliance can be configured with your signing and rollover policies so you can set it and forget it. It will automatically roll keys, update signatures, even auto-update DS records accordingly for your subzones. The barriers to deploying DNSSEC are dwindling. Will you protect the integrity of your web resources?

No comments:

Post a Comment