While DNSSEC adoption percentages appear to have increased dramatically by 340 percent this year, the actual number of zones that have been signed is very small: .02 percent, according to a study by Infoblox.
This indicates that the vast majority of organizations with an Internet presence are vulnerable to attacks. Of the .02 percent of zones that are DNSSEC-signed, 23 percent of them failed validation due to expired signatures. This underscores that DNSSEC (including re-signing) needs to be as automated as possible to avoid accidental denial of service.
Furthermore, survey results reveal that some fundamental DNS capabilities required for DNSSEC adoption – TCP queries and support for Extension Mechanisms for DNS (EDNS0) – are not fully deployed. All these figures cause great concern that there is significant work to do before the industry is ready for DNSSEC and the Internet and enterprises alike are protected.
Additional survey findings revealed that topological diversity of authoritative name servers is an ongoing issue, with almost 75 percent of all name servers advertised in a single autonomous system; this presents a single point of failure that can impact availability of many organizations’ Internet presence in the event of a fault or problem with routing infrastructure.
DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 188.8.131.52), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request from Web browsing, email and ecommerce to cloud computing.
Should an enterprise or organization’s DNS systems become compromised by attacks, the results can be devastating, ranging from loss of a company’s Web presence, inability of employees to access any outside Web services, and perhaps most damaging, redirection of Web and email traffic to bogus sites, resulting in data loss, identity theft, ecommerce fraud and more.
Making matters worse, cybercrime estimates are only growing. In a 2009 report, The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center, indicated that cyber crime complaints increased 22.3 percent compared to 2008 – and those are just the reported cases – illustrating the continued growth of cyber-crime.
Most security experts agree that the Domain Name System Security Extensions (DNSSEC), a suite of IETF specifications for securing information provided by DNS, represent the best means to protect against cyber-criminal activities launched at DNS servers.
DNSSEC implements an automated trust infrastructure, enabling systems to verify the authenticity of DNS information, and foils attackers’ attempts to direct users to alternate sites for collection of credit card information and passwords, to redirect email, or otherwise compromise applications.