Slashdot Mirror

← Back to Stories (view on slashdot.org)

80% of .gov Web Sites Miss DNSSEC Deadline

Posted by kdawson on from the not-a-priority dept.

netbuzz writes "Eighty percent of US federal agencies — including the Department of Homeland Security — have missed a deadline to deploy DNS Security Extensions, a new authentication mechanism designed to prevent hackers from hijacking Web traffic. The deadline that whooshed by was Dec. 31, 2009. Experts disagree as to whether this level of deployment represents a failure or reasonable progress toward meeting a mandate set by the Office of Management and Budget in the summer of 2008. OMB officials declined to say why the agency hasn't enforced the DNSSEC deadline for executive branch departments."

5 of 79 comments (clear)

  1. Unrealistic deadlines? by adosch · · Score: 1, Interesting

    This is probably more of a classic case of unrealistic deadlines imposed on Gov't agencies/IT contractors by Gov't security desk jockies and/or congressmen without a clue. I'm sure the infrastructure is convoluted to begin with and I'm sure whatever planning testing was probably rushed. On top of that, I've never know *anything* in the government to 1) rarely meet a deadline on time, 2) accomplish a task on time without an exorbitant amount of hiccups to deal with, or 3) be successful without being strangled by miles of bureaucratic red tape. I'm not making an excuse, just seems pretty plausible considering who we are talking about here.

  2. Mountains out of molehills, as per usual .... by King_TJ · · Score: 2, Interesting

    Sure, it's always good to implement updates that improve network/computer security ... but let's face it. These deadlines are put in place primarily to ensure people actually pay attention and do the update in a reasonable amount of time. It's not like govt. had inside information that right after Dec. 31, 2009 - hackers were going to go crazy trying to exploit this DNS issue, so that was the day it really NEEDED to be implemented by, across the board.

    Maybe I'm just in a sour mood right now with this stuff in general? But lately, I sense an ever-increasing amount of importance being placed on every little security patch or change, when it's just not really warranted. It seems really self-serving to those who work in the field of "computer security", because it makes a bunch of extra billable work for them - and they get to scare more people into paying them to secure things for them.

    I mean, just this morning, I came into work and checked my mail, and what do I see? People on C-Net asking questions about if they should just "quit using Internet Explorer, given the recent security exploits". (Umm, let's see here.... You successfully used the thing ever since probably when? At least back in 2001 or 2002, right? And theoretically at least, it's "safer" now than EVER before, since Microsoft has been patching and upgrading the thing that whole time. So why would you suddenly determine NOW that it's just too unsafe to use again??)

    And later today, I've got to waste my afternoon ensuring "PCI Compliance" because my workplace accepts credit cards once in a while, processed via an Internet-based card processing service. We don't even store *any* of the card data here, on either our systems or on paper. They just punch the stuff into the web site to do the processing, and let the processor keep the data. But *still*, simply because we do it, we have to have monthly "penetration testing" done against our firewall's IP address (among other requirements), and the stupid test claims I "fail" right now, due to issues that hardly matter in reality. (EG. It's complaining about unpatched issues with the Outlook Web Access part of Exchange, even though nobody even has access to use OWA in our company except me, as sysadmin -- and again, I'm finding it quite the stretch to see how someone hacking OWA here would magically obtain customer credit card info, given how we operate here?)

  3. Re:I'm not a huge fan of DHS either by Zibri · · Score: 2, Interesting

    Seems that most of the larger (well-known) *.govs doens't haven't deployed dnssec. I tried cia.gov, fbi.gov, nsa.gov (!), state.gov, whitehouse.gov, ins.gov, irs.gov... state.gov was the only one i found having published a DNSKEY rr. (I just picked a few at random I knew)

  4. Good... by nweaver · · Score: 4, Interesting

    DNSSEC still has some serious problems. EG, in our preliminary analysis, a shockingly large number of Netalyzr users are behind DNS resolvers that can't handle fragmented traffic. Yet a large number are behind resolvers that do request DNSSEC data.

    Since DNSSEC replies are often large (and can easily be over the 1500B response limit), turning on DNSSEC could very well mysteriously slow down DNS by causing large timeouts as the UDP reply fails to arrive and the DNS resolver, after a long timeout, then resorts to a TCP connection, even when the signatures are not validated, simply because there are a lot of resolvers that request DNSSEC but actually can't handle large replies.

    http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg01513.html

    --
    Test your net with Netalyzr
  5. Re:of course by Sir_Lewk · · Score: 2, Interesting

    I can certainly understand the unreasonable deadline complaint, but why exactly is DNSSEC "just some product being pushed by a shill company"? BIND implements DNSSEC, it's not like it's a proprietary piece of technology that is only offered by a single vendor.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)