Report Reveals Planned DNSSEC Adoption of 2010 by Key Industries Still in Limbo

By CircleID Reporter

A recent progress report on DNSSEC adoption reveals the extent to which organizations in a number of industries are falling short of their own objectives for making Domain Name Server (DNS) infrastructure more secure. The progress report, conducted by Secure64 Software Corporation, is a follow-up to a 2010 study by Forrester Research titled, "DNSSEC Ready for Prime Time," which reported on organizations' plans to implement DNSSEC in order to shore up vulnerabilities in DNS.

"One of the most interesting aspects of the Forrester study was a survey of organizations that asked about their progress on DNSSEC adoption. Of the organizations that were familiar with DNSSEC, 95 percent told Forrester that they had already deployed DNSSEC or had plans to deploy it within 18 months. Secure64's followup research shows that those plans have not yet come to fruition," said Steve Goodbarn, CEO of Secure64.

Some of the key findings:

Media and Entertainment,

Telecommunications and Internet Service Providers,

Financial Services,

Related topics: DNS Security


Why? Marcel Doe  –  Nov 20, 2012 5:26 AM PDT

Can someone tell me why organizations are so slow to adopt DNSSEC? It seems like a quick win to me.

Marcel,There is a long conversation that could Dan York  –  Nov 20, 2012 1:47 PM PDT


There is a long conversation that could be had on that topic - and perhaps I should write a post here on Circle ID about precisely that.  Some of the issues I captured in a whitepaper back in March, Challenges and Opportunities in Deploying DNSSEC, although there has been movement since I first wrote that in many positive ways.

Essentially, we are caught in the proverbial "chicken-and-egg" bootstrapping process of a new protocol. Domain name holders see little business value in signing their domains because of the scarcity of applications that validate signed domains (ex. DNS resolvers).  Application developers see little business value in adding DNSSEC validation because of the scarcity of signed domains. 

This is changing.  Slowly - but still it is changing.  We are starting to see greater support of DNSSEC within registrars.  We're starting to see ISPs roll out validating DNS servers.  We're starting to see application developers look at how they can add in DNSSEC support.  A number of people across the industry are looking at ways we can help people understand the very real value they can get from DNSSEC… and I believe we'll see more movement in the months ahead.  But it will take some time until it reaches that tipping point when it is just part of what you do with a domain.

But that is a topic for a much longer discussion… I really need to write a post here.  :-)

Hi Dan,I can see the chicken-and-egg problem Marcel Doe  –  Nov 20, 2012 4:42 PM PDT

Hi Dan,

I can see the chicken-and-egg problem here. But as far as I understand DNSSEC, the costs for the average corporate website owner are rather limited. They are already dealing with hosting, purchasing and installing certificates and updating DNS entries, so dealing with DNSSEC does not add that much costs.

But I guess corporations like to wait. We see the same things happening with IPv6. Everyone waits until all the others have already done it. Or when the need arises… which is too late, for both DNSSEC (already hacked) and IPv6 (unreachable site).