Majority of U.S. federal domain names still don’t use DNSSEC

The majority of Federal agency run .gov domains are not signing their DNS with DNSSEC despite a December 2009 Federal deadline for adoption, according to an IID report. DNSSEC is designed to ensure DNS entries are not poisoned in transit, so users are not taken to an unintended Internet destination.

The report was the first independent study into the deployment of DNSSEC across a majority of .gov domains including Federal, state, local, Native American and others. .gov domains are not published publicly, but IID was able to track down a majority of them for this study.

IID analyzed the DNS of more than 2,900 .gov domains and found:

• 421 Federal .gov domains are fully authenticated with DNSSEC out of 1,185 (36 percent).
• Two percent of Federal .gov domains signed with DNSSEC are incorrectly configured and fail completely when DNSSEC checks are done at some DNS resolvers.
• Another two percent of Federal .gov domains have basic DNS misconfigurations that keep them from operating properly at all.
• Two states, Idaho and Vermont, have successfully authenticated many of their domains with DNSSEC – a good sign for non-Federal adoption.

“This should be a wakeup call that DNSSEC, likely for a multitude of reasons, is still not being implemented across a wide spectrum of .gov domains despite a mandate to do so,” said IID president and CTO Rod Rasmussen. “Furthermore and even more worrisome, there is a small percentage of .gov domains that are adopting but not properly utilizing DNSSEC, leaving organizations with a false sense of security and likely problems for their users.”