Top US domain name registrars lag on DNS security

In order for Web site operators and end users to benefit from DNSSEC, the standard must be supported at every level of the DNS hierarchy

The leading domain name registrars in the United States appear to be dragging their feet on the deployment of DNS Security Extensions, an emerging standard that prevents an insidious type of hacking attack where network traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing.

DNSSEC prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Cache poisoning attacks are possible because of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

In order for Web site operators and end users to benefit from DNSSEC, the standard must be supported at every level of the DNS hierarchy.

At the top of this heirarchy, the DNS root servers will support DNSSEC on July 1.

Next are the registries that operate the back-end servers for the various top-level domains. The registries have announced rolling deadlines for their DNSSEC deployments: .org and .edu in June; .net in December; and .com by March 2011.However, none of the top 10 domain name registrars in the United States has committed to a deadline for deploying DNSSEC.

"It's sad that the registrars are not keeping up with the registries in their deployment schedules for DNSSEC," says Paul Hoffman, director of the VPN Consortium and an active participant in DNSSEC standards development at the Internet Engineering Task Force. "If my registrar can't tell me when they will support DNSSEC, then I can't do the planning I need to do to upgrade my DNS software."

U.S. corporations -- such as banks and e-retailers -- won't be able to deploy the extra layer of security provided by DNSSEC until their registrars offer it as a service.

"It is a roadblock," Hoffman says. "If my registrar doesn't know how do to DNSSEC, I have to change registrars…Whichever registrar announces first is going to see people switching to them."

Of the 10 largest domain name registrars in the United States, only four responded to queries about the status of their DNSSEC deployments. None of these registrars would commit to a deadline for when they will support this new security mechanism.

Network Solutions and Dotster appear to be furthest along with DNSSEC.

"We are supportive of the DNSSEC initiative and recognize its technical importance and its efficiency in securing directory data," sais Network Solutions spokeswoman Susan Wade. "We are working closely with the registries and are actively engaged in market research to determine the demand for DNS Security. At the present time, we do not have a launch date for our DNSSEC offering."

"Dotster is working with a number of registries to implement DNSSEC," said Dotster's IT Director Aaron Bathum. "This is on our product road map, and availability is currently under review."

Go Daddy, the largest domain name registrar in the United States, was vague about its DNSSEC plans.

"Go Daddy is acutely aware of DNSSEC and has been evaluating it for some time," said Rich Merdinger, senior director of domain registration services at Go Daddy. But Merdinger wouldn't say when Go Daddy will offer DNSSEC. "Go Daddy always is looking to do what is best for our customers," he adds.

Meanwhile, eNom, the second-largest domain name registrar, seems to be taking a watch-and-wait approach to DNSSEC.

"We are carefully watching the rollout of DNSSEC at the registry level, and while we do not have a set date for registrar implementation, it is a service we are considering offering in the future," said Jeff Eckhaus, general manager at eNom.

One reason that domain name registrars are slow to commit to DNSSEC is economics. With domain names selling for as little as $1.99 per year, there's little incentive for registrars to add an extra layer of security and all of the administrative overhead that will entail.

"The registrars are a real hold-up," says Rodney Joffe, senior vice president and chief technologist with Neustar's UltraDNS business. "One of the problems for the registrars is who picks up the tab for the customer support element of this? If you think about this, you buy a domain name for $8 to $15. How many people are going to call the registrar and ask how to do a signature? You can't recover the cost of that call based on the current price for domain names."

Joffe says the registrars are just one barrier to DNSSEC deployment, which he predicts will not occur until 2012 at the earliest.

"Another problem is that there are no end user applications that make use of DNSSEC. Nobody has written a browser that checks for DNSSEC signatures. Even when the ISPs have DNSSEC-enabled recursive servers that will authenticate the answer, there are no clients for end users," Joffe says. "We are a couple years away from being close to DNSSEC being a possibility."

In the meantime, Joffe touts the benefits of a Neustar/UltraDNS product called Cache Defender that provides protection against Kaminsky-style attacks and is available today.

"Until it's end-to-end, it doesn't work," Joffe says of DNSSEC. "It doesn't matter if there's just one break in the chain. That one break is enough for DNSSEC not to work."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityDNS

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?