Dot-com domains still lack DNSSEC security

The new security extensions for DNS were enabled on the .com domain, but none of the 100 most popular sites has upgraded

It's been over two weeks since the DNS Security Extensions (DNSSEC) system was turned on for .com domain names. This is an end stage for a process that will one day let surfers be 100 percent confident they're accessing the site they think they are, and have not been diverted by hackers.

In those two weeks, various network engineers have probably been working like crazy to add the necessary DNSSEC extensions to their domain names...right? After all, it's not as if DNSSEC has come out of nowhere. It's been in discussion since the last century, with VeriSign indicating early in 2009 that it would switch .com by 2011.

Care to guess how many of the .com domains within the Top 100 most popular Website list, as mentioned in a BBC News article last year, are currently making use of DNSSEC for their .com domains?


Actually, that's not quite true. The domain doesn't use DNSSEC but does, and that's what most of us visit. So, well done Mozilla! And boo shucks to virtually every other online business at the moment. (And an additional shout-out for network infrastructure company Infoblox, which alerted me to the fact that DNSSEC take-up hasn't exactly been a gold rush, pointing out they were among the first 200 .coms to make the move.)

How about the top 10 U.S. banks, including Bank of America, JP Morgan Chase, Citigroup, Wachovia? After all, it's with online banking that DNSSEC is really needed.

Not one is yet secured with DNSSEC, as far as I can tell.

You can test DNSSEC usage for yourself using the DNSSEC Validator extension in Mozilla Firefox. (Search the add-ons gallery to find it.) This will display a key symbol alongside the Website address, should you access any domain that's been signed via DNSSEC. Ideally the padlock should be green but it'll probably be orange because very few DNS resolvers used by ISPs are themselves upgraded to DNSSEC, and therefore can't yet conclusively prove sites are genuine.

Alternatively you can visit VeriSign Labs' DNSSEC debugger and search. Or, if you're using Linux or a Mac, open a terminal window and use the dig +dnssec command, followed by the domain; to check, for example, you'd type dig +dnssec Look for an RRSIG line in the results. If it's not there, DNSSEC hasn't been added to that domain. (Windows users can download the dig tool to use at the command line.)

Beware that the public DNS services offered by Google and OpenDNS both appear to strip out the DNSSEC components of DNS records at the present time, which isn't entirely helpful if DNSSEC is to become mainstream.

Admittedly, adding DNSSEC to some domains is not trivial. Consider Google, for example, which uses astonishingly sophisticated load-balancing to ensure everybody worldwide can always get a speedy response. However, as mentioned, DNSSEC isn't a bolt out of the blue. There's been time to put a plan in place.

In a statement, Google told me that they "think that DNSSEC is important," and that they're actively looking into it, but declined to give details of when, how, or even if it will happen.

Ultimately, upgrading to DNSSEC is a series of chicken-and-egg situations. Nobody in the chain, from end-user to Website operators, is compelled to make any changes right now.

For example, I run a handful of Websites but the hosting service I use doesn't yet offer DNSSEC, so I can't upgrade even if I wanted to. The hosting service probably won't offer DNSSEC until people like me start demanding it.

Even once it's available, I'll have to think hard about implementing DNSSEC because it'll add a small but significant cost to running a Website, not to mention complexity. However, the cost could be folded into domain registration fees, removing this cost for all but the bottom-dollar registrars.

Upgrading my domains to DNSSEC at the moment is an academic exercise, because very few DNS resolvers offered by ISPs around the world support DNSSEC. In other words, I can make the switch but it would make no difference to visitors. So, why should I?

It's hard to figure out who can break this status quo. It almost certainly won't be a grassroots effort; end users might question why they need DNSSEC. Doesn't HTTPS already do that job? (Answer: Yes, but the system is falling apart at the seams.)

Ultimately, it's down to the big tech companies to show the way forward and to make a fuss about doing so, so that we'll all follow suit. Because of this, the coming year is undoubtedly going to prove whether DNSSEC is little more than a clever idea.

Join the CSO newsletter!

Error: Please check your email address.

Tags spamBBCVeriSignvirusessecurityphishingmozilla

More about BBC Worldwide AustralasiaetworkGoogleInfobloxJP MorganLinuxMorganMozillaMozilla.orgPAMSECVeriSign AustraliaWachoviaWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Keir Thomas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts