Home / Blogs

Going for Broke: Financial Services Industry Falling Behind on DNSSEC Adoption

Mark Beckett

Many CircleID readers have been watching the acceleration of DNSSEC adoption by top level domains with great interest, and after many years the promise of a secure and trustworthy naming infrastructure across the generic and country-code domains finally seems within reach.

While TLD DNSSEC deployments are major milestones for internet security, securing the top level domains is not the end goal — just a necessary step in the process. To truly protect against the most likely threats, DNSSEC must be adopted not only by TLDs, but also by the domain name registrants themselves.

Registrants like banks, government agencies, retailers, and other organizations that represent attractive targets for criminals or hostile nation-states stand to benefit the most by deploying DNSSEC across the domains that they own. Adoption of DNSSEC by these types of organizations is an important measure of the success of DNSSEC in achieving its primary goal: to ensure that the integrity of the internet's naming system cannot be compromised.

For the past several years, Secure64's technical team has conducted a series of studies to measure DNSSEC adoption by key groups of organizations. In the wake of a US federal government mandate that all federal agencies must adopt DNSSEC by the end of 2009, we decided to measured the progress that was being made, and publicly reported adoption rates of 20%, 49% and 57% in 2010, 2011 and 2012, respectively. However, adoption outside of the large top level domains and the US government has been slow.

In mid-2010, we were encouraged by a Forrester Research study of almost 300 IT decision makers around the world indicating that 43% of the respondents had heard of DNSSEC, and of these, 95% had already implemented or had plans to implement it within 18 months. This survey focused on those industries most likely to benefit from the security that DNSSEC provides, including financial services, public sector, ISPs, media/entertainment/leisure, online commerce and other organizations with a significant online presence. Now, over two years later, we decided to follow up on this survey, focusing on the financial services sector, to see if these plans have come to fruition.

We used the Forbes Global 2000 list of public companies as our starting point, honing that list down to 293 organizations in the financial services sector. We then queried the domain names of each of these organizations, looking for two pieces of evidence of DNSSEC deployment — signatures published at the organization's domain and a chain of trust to its parent domain.

The results were both surprising and disappointing. Of these 293 organizations, only one was publishing signatures on its domain, but that one organization had not established a chain of trust to its parent, so there is little likelihood that it is benefiting from the protection that DNSSEC can provide.

Given these surprising results compared to the attitudes reflected in the previous Forrester survey, we looked for bias in our own data and noted that our list only included public companies. We also noted that the domain name for many of the multi-national companies on the list were not the same as the names of the individual companies that they own. Is it possible that DNSSEC might be more broadly deployed in private companies or in the individual company domain names? Unfortunately, spot checking a number of these children companies yielded no evidence of DNSSEC adoption either, so we were forced to conclude that the deployment of this important security technology is happening very slowly even within an industry that should be the most concerned about it.

Perhaps it will take a real financial loss to provide the necessary motivation. According to the Forrester report, 100% of the companies that lost greater than $5 million experienced a man-in-the-middle breach. Or perhaps, as we have seen in the U.S., legislation or industry regulations will be required to spur these organizations to action. So far, at least, protecting their customers and brand reputation had not been sufficient.

By Mark Beckett, VP, Marketing & Product Management at Secure 64

Related topics: DNS Security, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Introducing the Verisign Quarterly DDoS Trends Report

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics



Sponsored by


Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines

DNS Security

Sponsored by