0 Members and 1 Guest are viewing this topic.

Offline Dig

  • All eyes are opened, or opening, to the rights of man.
  • Member
  • *****
  • Posts: 63,090
    • Git Ureself Edumacated
« on: November 06, 2010, 07:02:33 am »


Majority of U.S. Federal Domain Names Still Fail to Meet Federal Internet Security Mandate for DNSSEC Adoption
Wednesday, September 22, 2010
TACOMA, Wash.--(BUSINESS WIRE)--IID (Internet Identity), a provider of technology and services that help organizations secure Internet presence, today announced it has identified major online security holes for U.S. government organizations in its “Q3 State of DNS Report”. According to the report, a majority of Federal agency run .gov domains are not signing their DNS (Domain Name System) with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption. DNSSEC is designed to ensure DNS entries are not poisoned in transit, so users are not taken to an unintended Internet destination.

The report was the first independent study into the deployment of DNSSEC across a majority of .gov domains including Federal, state, local, Native American and others. .gov domains are not published publicly, but IID was able to track down a majority of them for this study. IID analyzed the DNS of more than 2,900 .gov domains and found:

421 Federal .gov domains are fully authenticated with DNSSEC out of 1,185 (36 percent)

Two percent of Federal .gov domains signed with DNSSEC are incorrectly configured and fail completely when DNSSEC checks are done at some DNS resolvers

Another two percent of Federal .gov domains have basic DNS misconfigurations that keep them from operating properly at all

Two states, Idaho and Vermont, have successfully authenticated many of their domains with DNSSEC – a good sign for non-Federal adoption

“This should be a wakeup call that DNSSEC, likely for a multitude of reasons, is still not being implemented across a wide spectrum of .gov domains despite a mandate to do so,” said IID president and CTO Rod Rasmussen. “Furthermore and even more worrisome, there is a small percentage of .gov domains that are adopting but not properly utilizing DNSSEC, leaving organizations with a false sense of security and likely problems for their users.”
A January 2010 report prepared by the Center for Strategic and International Studies (CSIS) titled, "In the Crossfire – Critical Infrastructure in the Age of Cyber-War," found 57 percent of 600 IT and security professionals polled had experienced DNS poisoning attacks – which DNSSEC is supposed to stop. According to the IT and security professionals questioned, the cost of downtime incurred from a network infrastructure attack like DNS poisoning on their organizations was more than six million dollars a day.

“DNS is still the wild west of Internet infrastructure and it remains relatively wide open for cyber criminals today," said Online Trust Alliance (OTA) Founder and President Craig Spiezle. "It is essential for organizations to not only adopt DNSSEC, but also utilize various other solutions which help ensure online trust.”

More findings from the IID report including how improperly implementing DNSSEC has actually hamstrung some domains can be found at Rod Rasmussen will discuss the findings of this report while at the OTA Online Trust & Cybersecurity Forum in Washington, D.C. this Friday, September 24.

About IID

IID (Internet Identity) has been providing technology and services that secure the Internet presence for an organization and its extended enterprise since the company was founded in 1996. It recently started delivering the industry’s first and only solution for detecting, diagnosing and mitigating domain name system (DNS) security and configuration issues for an organization and its extended enterprise. IID also provides anti-phishing, malware and brand security solutions for many of today’s leading financial service firms, e-commerce, social networking and ISP companies, and more. The company is working hard to deliver solutions that help keep the Internet safe and trusted for businesses. IID is headquartered in Tacoma, Washington. More information can be found at

Comcast begins DNS security rollout
Monday, October 18, 2010

First in U.S. to protect customers against Kaminsky-style cache poisoning attacks. Comcast has begun migrating its customers to a new Internet security mechanism that will help protect them from being inadvertently routed to phony Web pages for pharming attacks, identity theft and other scams. Comcast is the first major ISP in the United States to adopt the new mechanism, which is known as DNS Security Extensions (DNSSEC).

Source: Carolyn Duffy, Marsan, Network World, Retreived on October 18, 2010 from
All eyes are opened, or opening, to the rights of man. The general spread of the light of science has already laid open to every view the palpable truth, that the mass of mankind has not been born with saddles on their backs, nor a favored few booted and spurred, ready to ride them legitimately