Eighty percent of all U.S. federal agencies didn’t succeed in deploying DNSSEC on their Web sites by the end of 2009, as demanded by the U.S.’s government mandate issued in August 2008.
The mandate was issued because DNSSEC protects the sites’ DNS entries from being spoofed – that is, from redirection of traffic to fake (malicious) sites that pose as the real thing.
IT World reports that Sweden, Puerto Rico, Mexico, Brazil, Bulgaria, and the Czech Republic already implemented the standard on their national domains. The .org domains are also cryptographically signed, and VeriSign plans to finish deploying it across the root, .com and .net servers by 2011.
Ken Silva, VeriSign’s CTO, said that they have and are encountering difficulties during this process, but no major or unsolvable problems. “If everything was DNSSEC enabled, it would make it extremely difficult to forge a DNS response. Having said that, it truly needs to be DNSSEC from end-to-end in order to have an impact,” he remarks.
It is no wonder, then, that the deadline has actually been so short. It is definitely in everybody’s best interest to see the complete deployment of the standard on every .gov domain, so implementing DNSSEC should be one of the top priorities.
But not everybody is worried about the seemingly slow pace of the implementation. “I would take it as a very positive sign that there was any movement at all,” says Steve Crocker, CEO of Shinkuro. He believes that it wasn’t a lack of will, but of time, behind the failure of the agencies to implement the standard, and thinks that by the end of this year most of them will meet that requirement.