The sixth-annual survey of the Domain Name System (DNS) infrastructure on the public Internet, conducted by the Measurement Factory and underwritten by Infoblox, finds that while DNSSEC (Domain Name System Security Extensions) adoption increased dramatically, by 340 percent, this year, it was on such a small base that DNS security is virtually nonexistent for the almost 200 million registered domains. DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for securing information, and providing origin authentication of DNS data, authenticated denial of existence and data integrity.
According to the study, the number of zones that have been DNSSEC-signed is only 0.02 percent, and almost a quarter of them, 23 percent, failed validation due to expired signatures. This means most organizations with an Internet presence are not taking DNS security seriously and are vulnerable to attacks, says Cricket Liu, VP of architecture at Infoblox and author of O'Reilly & Associates' "DNS and BIND," and "DNS & BIND Cookbook."
These results shouldn't be surprising, according to several other studies. In a recent report from the Enterprise Strategy Group, "Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure," nearly one-fourth of respondents rated executive management support for cyber security as "fair" or "poor."
IBM's mid-2010 security report card found that Web application vulnerabilities increased to the 55 percent mark, accounting for fully half of all vulnerability disclosures in the first part of 2010. While the cost of these vulnerabilities is unknown, Gartner has calculated how much organizations are spending on security-related software. For 2010, the market will be $16.5 billion, up 11.3 percent from last year's $14.8 billion.
Based on last year's DNS survey, Liu was hoping 2010 would be a really big year for DNSSEC: "While we did see this impressive growth in percentages, ... we went from negligible to just slightly less negligible." And while he is shifting his DNSSEC growth expectations to 2011, Liu says this year's survey indicates that a fair number of sites will need to be upgraded before they can even support DNSSEC.