Dot-com domains still lack DNSSEC security
- 14 April, 2011 09:13
It's been over two weeks since the DNS Security Extensions (DNSSEC) system was turned on for .com domain names. This is an end stage for a process that will one day let surfers be 100 percent confident they're accessing the site they think they are, and have not been diverted by hackers.
In those two weeks, various network engineers have probably been working like crazy to add the necessary DNSSEC extensions to their domain names...right? After all, it's not as if DNSSEC has come out of nowhere. It's been in discussion since the last century, with VeriSign indicating early in 2009 that it would switch .com by 2011.
Care to guess how many of the .com domains within the Top 100 most popular Website list, as mentioned in a BBC News article last year, are currently making use of DNSSEC for their .com domains?
Actually, that's not quite true. The Mozilla.com domain doesn't use DNSSEC but Mozilla.org does, and that's what most of us visit. So, well done Mozilla! And boo shucks to virtually every other online business at the moment. (And an additional shout-out for network infrastructure company Infoblox, which alerted me to the fact that DNSSEC take-up hasn't exactly been a gold rush, pointing out they were among the first 200 .coms to make the move.)
How about the top 10 U.S. banks, including Bank of America, JP Morgan Chase, Citigroup, Wachovia? After all, it's with online banking that DNSSEC is really needed.
Not one is yet secured with DNSSEC, as far as I can tell.
You can test DNSSEC usage for yourself using the DNSSEC Validator extension in Mozilla Firefox. (Search the add-ons gallery to find it.) This will display a key symbol alongside the Website address, should you access any domain that's been signed via DNSSEC. Ideally the padlock should be green but it'll probably be orange because very few DNS resolvers used by ISPs are themselves upgraded to DNSSEC, and therefore can't yet conclusively prove sites are genuine.
Alternatively you can visit VeriSign Labs' DNSSEC debugger and search. Or, if you're using Linux or a Mac, open a terminal window and use the dig +dnssec command, followed by the domain; to check google.com, for example, you'd type dig +dnssec google.com. Look for an RRSIG line in the results. If it's not there, DNSSEC hasn't been added to that domain. (Windows users can download the dig tool to use at the command line.)
Beware that the public DNS services offered by Google and OpenDNS both appear to strip out the DNSSEC components of DNS records at the present time, which isn't entirely helpful if DNSSEC is to become mainstream.
Admittedly, adding DNSSEC to some domains is not trivial. Consider Google, for example, which uses astonishingly sophisticated load-balancing to ensure everybody worldwide can always get a speedy response. However, as mentioned, DNSSEC isn't a bolt out of the blue. There's been time to put a plan in place.
In a statement, Google told me that they "think that DNSSEC is important," and that they're actively looking into it, but declined to give details of when, how, or even if it will happen.
Ultimately, upgrading to DNSSEC is a series of chicken-and-egg situations. Nobody in the chain, from end-user to Website operators, is compelled to make any changes right now.
For example, I run a handful of Websites but the hosting service I use doesn't yet offer DNSSEC, so I can't upgrade even if I wanted to. The hosting service probably won't offer DNSSEC until people like me start demanding it.
Even once it's available, I'll have to think hard about implementing DNSSEC because it'll add a small but significant cost to running a Website, not to mention complexity. However, the cost could be folded into domain registration fees, removing this cost for all but the bottom-dollar registrars.
Upgrading my domains to DNSSEC at the moment is an academic exercise, because very few DNS resolvers offered by ISPs around the world support DNSSEC. In other words, I can make the switch but it would make no difference to visitors. So, why should I?
It's hard to figure out who can break this status quo. It almost certainly won't be a grassroots effort; end users might question why they need DNSSEC. Doesn't HTTPS already do that job? (Answer: Yes, but the system is falling apart at the seams.)
Ultimately, it's down to the big tech companies to show the way forward and to make a fuss about doing so, so that we'll all follow suit. Because of this, the coming year is undoubtedly going to prove whether DNSSEC is little more than a clever idea.