Half of federal Web sites fail DNS security test

Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows.

The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security — called DNS Security Extensions or DNSSEC — on their .gov Web sites by Dec. 31, 2009.

However, an independent study conducted this month shows that 51 per cent of agencies are out of compliance with the requirement to deploy DNSSEC, which is also necessary for high marks in agency report cards under the Federal Information Security Management Act or FISMA.


DNSSEC is an Internet standard that prevents hackers from hijacking Web traffic and redirecting it to bogus sites. It allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption.

In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .gov, .com and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

DNSSEC was enabled in the root zone last July. More than a dozen top-level domains - including .org for non-profits, .edu for universities and .net for networking companies - support the standard.

Related Events: DNS gains added measure of security starting today 

Secure64 Software Corp., a DNS vendor, tested 360 federal agencies for evidence of digital signatures on their .gov domains. The company ran the same test a year ago and found that only 20 per cent of federal Web sites were in compliance with the DNSSEC mandate.

"We checked which ones of those Web sites were signed, which is the first step to deploying DNSSEC," says Mark Beckett, vice president of marketing and product management for Secure64. "Last year, that number was 20 per cent. This year, that number is 49 per cent."

2010 DNSSEC Survey 

Secure64's findings show progress on the DNSSEC front, with the number of federal agencies digitally signing their domains having more than doubled. "But if you think the government should be fully deployed by now, it's a disappointing number," Beckett added.

Secure64 examined only .gov domains, eliminating federal Web sites that end in .mil, .com or .org from its research because the OMB mandate only applies to .gov Web sites.

"The sample size is large enough that these numbers are very believable and conceivable with what we see out in the market," Beckett says.

Leaders in DNSSEC deployment include the State Department, which is 100 per cent compliant, and the Department of Labor, which is 90 per cent compliant, according to the Secure64 survey.

Among the agencies that appear to be lagging in DNSSEC deployment include the Treasury Department, which is signing only one of its dozen subdomains.

Beckett says agencies are even further behind in establishing a chain of trust with their parent domains, which is the second step in DNSSEC deployment after signing a DNS zone.

"Of the folks with signed domains...only about 20 per cent have established a chain of trust with their parent," Beckett says. "The fact that more than half of the agencies have not yet signed and an even larger percentage haven't established their chain of trust tells you the difficulty for anybody - including federal agencies - in deploying this. It's evidence of the complexity of doing this."

Secure64 sells automated systems for DNSSEC deployment; a typical customer spends around $100,000 on their systems.

Other vendors sell DNSSEC services built into broader product suites, such as IP address management offerings from Infoblox and BlueCat Networks or load balancing systems from F5.

DNSSEC will continue to be in the news this year because VeriSign has committed to supporting the security technology in the .com domain in March. The Internet's largest domain, .com has more than 90 million registered domain names, according to the latest VeriSign Domain Name Industry Brief.

Background on VeriSign's DNSSEC plans

"I think the .com signing is a really important event," Beckett says. "I think it's going to create a much bigger market for products and services that make DNSSEC easier. You can see from our statistics that deploying DNSSEC hasn't been the easiest thing. I think you'll see more and more companies like ours that offer products and services that take the pain out of DNSSEC."

The types of DNS attacks that DNSSEC would eliminate are widespread. More than half of IT decision makers report being victims of DNS-based attacks during the last two years, according to a July 2010 survey by Forrester Research. Among the most common forms of DNS attacks are man-in-the-middle attacks and DNS cache poisoning - both of which could be eliminated by DNSSEC.

The U.S. government isn't the only sector dragging its feet on DNSSEC deployment. Only 11 per cent of the nearly 300 IT decision makers surveyed by Forrester Research had adopted DNSSEC, and these IT decision makers represented financial services firms, ISPs, content providers, e-commerce sites and public-sector organizations.

"DNSSEC is not widely known or deployed, but the majority of those who know DNSSEC plan to adopt," the Forrester Research survey said.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags industry verticals

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?