Internet Domain Security Virtually Non-Existent

The sixth-annual survey of the Domain Name System (DNS) infrastructure on the public Internet, conducted by the Measurement Factory and underwritten by Infoblox, finds that while DNSSEC (Domain Name System Security Extensions) adoption increased dramatically, by 340 percent, this year, it was on such a small base that DNS security is virtually nonexistent for the almost 200 million registered domains. DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for securing information, and providing origin authentication of DNS data, authenticated denial of existence and data integrity.

According to the study, the number of zones that have been DNSSEC-signed is only 0.02 percent, and almost a quarter of them, 23 percent, failed validation due to expired signatures. This means most organizations with an Internet presence are not taking DNS security seriously and are vulnerable to attacks, says Cricket Liu, VP of architecture at Infoblox and author of O'Reilly & Associates' "DNS and BIND," and "DNS & BIND Cookbook."

These results shouldn't be surprising, according to several other studies. In a recent report from the Enterprise Strategy Group, "Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure," nearly one-fourth of respondents rated executive management support for cyber security as "fair" or "poor."

IBM's mid-2010 security report card found that Web application vulnerabilities increased to the 55 percent mark, accounting for fully half of all vulnerability disclosures in the first part of 2010. While the cost of these vulnerabilities is unknown, Gartner has calculated how much organizations are spending on security-related software. For 2010, the market will be $16.5 billion, up 11.3 percent from last year's $14.8 billion.

Based on last year's DNS survey,  Liu was hoping 2010 would be a really big year for DNSSEC: "While we did see this impressive growth in percentages, ... we went from negligible to just slightly less negligible." And while he is shifting his DNSSEC growth expectations to 2011, Liu says this year's survey indicates that a fair number of sites will need to be upgraded before they can even support DNSSEC.On a more positive note, the parent or top-level domain names--.com, .org and .net--are all moving to DNSSEC, says Liu. Only .org is currently signed, but .net is expected to sign this month, and .com is expected to be on board by March. With the parents signed, there
should be no excuses for the sub-zones, he says.

The removal of that "barrier" won't necessarily mean organizations will now jump on the
DNSSEC bandwagon, cautions Liu. He sees regulation as one option for driving Internet security. Another option is standards bodies like PCI (Payment Card Industry). There is also the possibility of a big lawsuit getting people's attention, he adds.

Another survey finding was the issue of topological diversity of authoritative name servers, with almost 75 percent of all name servers advertised in a single autonomous system. This presents a single point of failure that can impact availability of organizations' Internet presence in the event of a fault or problem with routing infrastructure.