Half of federal Web sites fail DNS security test

Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows.

The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security — called DNS Security Extensions or DNSSEC — on their .gov Web sites by Dec. 31, 2009.

However, an independent study conducted this month shows that 51 per cent of agencies are out of compliance with the requirement to deploy DNSSEC, which is also necessary for high marks in agency report cards under the Federal Information Security Management Act or FISMA.


DNSSEC is an Internet standard that prevents hackers from hijacking Web traffic and redirecting it to bogus sites. It allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption.

In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .gov, .com and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

DNSSEC was enabled in the root zone last July. More than a dozen top-level domains - including .org for non-profits, .edu for universities and .net for networking companies - support the standard.

Related Events: DNS gains added measure of security starting today 

Secure64 Software Corp., a DNS vendor, tested 360 federal agencies for evidence of digital signatures on their .gov domains. The company ran the same test a year ago and found that only 20 per cent of federal Web sites were in compliance with the DNSSEC mandate.

"We checked which ones of those Web sites were signed, which is the first step to deploying DNSSEC," says Mark Beckett, vice president of marketing and product management for Secure64. "Last year, that number was 20 per cent. This year, that number is 49 per cent."

2010 DNSSEC Survey 

Secure64's findings show progress on the DNSSEC front, with the number of federal agencies digitally signing their domains having more than doubled. "But if you think the government should be fully deployed by now, it's a disappointing number," Beckett added.

Secure64 examined only .gov domains, eliminating federal Web sites that end in .mil, .com or .org from its research because the OMB mandate only applies to .gov Web sites.

"The sample size is large enough that these numbers are very believable and conceivable with what we see out in the market," Beckett says.

Leaders in DNSSEC deployment include the State Department, which is 100 per cent compliant, and the Department of Labor, which is 90 per cent compliant, according to the Secure64 survey.

Among the agencies that appear to be lagging in DNSSEC deployment include the Treasury Department, which is signing only one of its dozen subdomains.

Beckett says agencies are even further behind in establishing a chain of trust with their parent domains, which is the second step in DNSSEC deployment after signing a DNS zone.

"Of the folks with signed domains...only about 20 per cent have established a chain of trust with their parent," Beckett says. "The fact that more than half of the agencies have not yet signed and an even larger percentage haven't established their chain of trust tells you the difficulty for anybody - including federal agencies - in deploying this. It's evidence of the complexity of doing this."

Secure64 sells automated systems for DNSSEC deployment; a typical customer spends around $100,000 on their systems.

Other vendors sell DNSSEC services built into broader product suites, such as IP address management offerings from Infoblox and BlueCat Networks or load balancing systems from F5.

DNSSEC will continue to be in the news this year because VeriSign has committed to supporting the security technology in the .com domain in March. The Internet's largest domain, .com has more than 90 million registered domain names, according to the latest VeriSign Domain Name Industry Brief.

Background on VeriSign's DNSSEC plans

"I think the .com signing is a really important event," Beckett says. "I think it's going to create a much bigger market for products and services that make DNSSEC easier. You can see from our statistics that deploying DNSSEC hasn't been the easiest thing. I think you'll see more and more companies like ours that offer products and services that take the pain out of DNSSEC."

The types of DNS attacks that DNSSEC would eliminate are widespread. More than half of IT decision makers report being victims of DNS-based attacks during the last two years, according to a July 2010 survey by Forrester Research. Among the most common forms of DNS attacks are man-in-the-middle attacks and DNS cache poisoning - both of which could be eliminated by DNSSEC.

The U.S. government isn't the only sector dragging its feet on DNSSEC deployment. Only 11 per cent of the nearly 300 IT decision makers surveyed by Forrester Research had adopted DNSSEC, and these IT decision makers represented financial services firms, ISPs, content providers, e-commerce sites and public-sector organizations.

"DNSSEC is not widely known or deployed, but the majority of those who know DNSSEC plan to adopt," the Forrester Research survey said.

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityindustry verticalsgovernment

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?