80% of .gov Web Sites Miss DNSSEC Deadline

netbuzz writes "Eighty percent of US federal agencies — including the Department of Homeland Security — have missed a deadline to deploy DNS Security Extensions, a new authentication mechanism designed to prevent hackers from hijacking Web traffic. The deadline that whooshed by was Dec. 31, 2009. Experts disagree as to whether this level of deployment represents a failure or reasonable progress toward meeting a mandate set by the Office of Management and Budget in the summer of 2008. OMB officials declined to say why the agency hasn't enforced the DNSSEC deadline for executive branch departments."

of course

[brennz]

(1) you have a shill of a biased company selling products to the industry pushing the requirement
(2) An unrealistic deadline set by OMB initially.

This is a craptastic story.

Re:of course

[Archangel+Michael]

1) Yeah? And?

2) IT wasn't unrealistic.

How long does it take to implement?

1) Get deadline
2) Start product evaluations
3) Pick Product(s)
4) Implement Product
5) Write Howto: for all the idiots out there

If we use 3 Months (1/4 year) for each step, we're looking at 1 year, three months to implement, including figuring out time lines for implementation.

Once you start rolling out, you cookie cutter as much as you can, so you have easy, consistent configurations and implementations.

I don't get why it takes so long.

Re:of course

[Sir_Lewk]

I can certainly understand the unreasonable deadline complaint, but why exactly is DNSSEC "just some product being pushed by a shill company"? BIND implements DNSSEC, it's not like it's a proprietary piece of technology that is only offered by a single vendor.

Re:of course

If we use 3 Months (1/4 year) for each step

You've never worked for a government agency, or on a government contract, have you? 3 Months for "Getting the deadline" is usually unrealistic!

NOTE: This reality pisses me off to no end...

Re:of course

[Archangel+Michael]

DNSEC is not the same as writing a program. It is a service that does one thing. DNS .. Securely.

The protocols are ALREADY set, it is just a matter of configuration and implementation.

Again, other places have DNSEC working right, so what is so hard about getting it working here? I mean besides normal Bureaucratic Government Ineptitude?

Re:I'm not a huge fan of DHS either

[Sir_Lewk]

The reason why the DHS gets more attention here than other departments is because they are the Department of Homeland Security. The importance of irony when ridiculing the government is not to be overlooked.

Re:I'm not a huge fan of DHS either

[Opportunist]

Now where is the full list of orgs that have or have not done it?

Why, looking for a shopping list? :)

Seriously, this time I could even understand if it was not released for "reasons of national security". It would be one of the few cases where that excuse actually makes sense.

That's nothing

[Monkeedude1212]

Rumour has it All Canadian governments open TCP/UDP ports 2 through 65535.

The first one is the reserved emergency port for the Prime Minister to escape in the case of a national emergency. We tried to explain to him that's not how it works but... You know politicians...

Re:I'm not a huge fan of DHS either

Sir, I think that you have penis on the brain.

And I quote:
I'm not a huge fan of DHS, but come on there are so many other government agencies that hardly ever get any abuse at all. DHS has had a lot of cock ups, and should be ridden hard to shape up or dissolve, but this is hardly an opening sentence kind of cock up.

Now where is the full list of orgs that have or have not done it? I suspect its going to be a lot like reading the pork report.

Mountains out of molehills, as per usual ....

[King_TJ]

Sure, it's always good to implement updates that improve network/computer security ... but let's face it. These deadlines are put in place primarily to ensure people actually pay attention and do the update in a reasonable amount of time. It's not like govt. had inside information that right after Dec. 31, 2009 - hackers were going to go crazy trying to exploit this DNS issue, so that was the day it really NEEDED to be implemented by, across the board.

Maybe I'm just in a sour mood right now with this stuff in general? But lately, I sense an ever-increasing amount of importance being placed on every little security patch or change, when it's just not really warranted. It seems really self-serving to those who work in the field of "computer security", because it makes a bunch of extra billable work for them - and they get to scare more people into paying them to secure things for them.

I mean, just this morning, I came into work and checked my mail, and what do I see? People on C-Net asking questions about if they should just "quit using Internet Explorer, given the recent security exploits". (Umm, let's see here.... You successfully used the thing ever since probably when? At least back in 2001 or 2002, right? And theoretically at least, it's "safer" now than EVER before, since Microsoft has been patching and upgrading the thing that whole time. So why would you suddenly determine NOW that it's just too unsafe to use again??)

And later today, I've got to waste my afternoon ensuring "PCI Compliance" because my workplace accepts credit cards once in a while, processed via an Internet-based card processing service. We don't even store *any* of the card data here, on either our systems or on paper. They just punch the stuff into the web site to do the processing, and let the processor keep the data. But *still*, simply because we do it, we have to have monthly "penetration testing" done against our firewall's IP address (among other requirements), and the stupid test claims I "fail" right now, due to issues that hardly matter in reality. (EG. It's complaining about unpatched issues with the Outlook Web Access part of Exchange, even though nobody even has access to use OWA in our company except me, as sysadmin -- and again, I'm finding it quite the stretch to see how someone hacking OWA here would magically obtain customer credit card info, given how we operate here?)

Re:I'm not a huge fan of DHS either

[tiberus]

First, let's hope it's a reason and not an excuse...
Second, Security through obscurity is no security at all or No security through obscurity.

Re:I'm not a huge fan of DHS either

[Zibri]

Seems that most of the larger (well-known) *.govs doens't haven't deployed dnssec. I tried cia.gov, fbi.gov, nsa.gov (!), state.gov, whitehouse.gov, ins.gov, irs.gov... state.gov was the only one i found having published a DNSKEY rr. (I just picked a few at random I knew)

Lack of government IT knowledge

[RichMan]

So does this show a lack of government IT ability. Or is it more representative of the general inertia of government. I would worry more about the former. Where the government is exposing itself to the wilds of the internet without the ability to protect itself.

Re:I'm not a huge fan of DHS either

[Smallpond]

Seriously, this time I could even understand if it was not released for "reasons of national security". It would be one of the few cases where that excuse actually makes sense.

 
Because the terrorists who are going to attack using a sophisticated DNS cache poisoning technique are obviously too stupid to download a list of government websites and go through them one-by-one to see which are using DNSSEC.

Good...

[nweaver]

DNSSEC still has some serious problems. EG, in our preliminary analysis, a shockingly large number of Netalyzr users are behind DNS resolvers that can't handle fragmented traffic. Yet a large number are behind resolvers that do request DNSSEC data.

Since DNSSEC replies are often large (and can easily be over the 1500B response limit), turning on DNSSEC could very well mysteriously slow down DNS by causing large timeouts as the UDP reply fails to arrive and the DNS resolver, after a long timeout, then resorts to a TCP connection, even when the signatures are not validated, simply because there are a lot of resolvers that request DNSSEC but actually can't handle large replies.

http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg01513.html

Re:How do you check?

[HogGeek]

http://lmgtfy.com/?q=dig+dnssec

No mention of the .dov registrar mistakes

I am the DNS admin of a federal agency. We signed two of our domains, and twice had .gov delete the keys that allowed the domains to be trusted. We then got the run-around and were lied to by the .gov admin. My management and I are now afraid to make any further progress implementing DNSSEC because .gov has made so many mistakes. It is better to be unsigned than to be signed and have the trust keys be incorrect.

Additionally, the tools to implement DNSSEC are non-trivial. A federal agency or Fortune 500 can afford to buy a Secure64 Signer. Looking forward to when I want to sign my personal domains (in .org and .com), the tools have to become much simpler and much more automated.

I manage DNS for a .gov

[snsh]

I manage a .gov domain for a non-federal entity. Last year I pursued DNSSEC and hosted DNS to improve availability and diversity over our on-premise DNS. Windows DNS and BIND seemed okay for DNSSEC secondaries, but signing and key rollover are high-maintenance. Maybe in the near future that will change. There are appliances I could buy for $10-20k to manage master zones and do DNSSEC, but they were out of budget. I worked with a hosted provider (dynect) for DNSSEC singing with .GOV, but that turned out to be out of budget too. So eventually I just settled on dnsmadeeasy for nominal cost, with anticipation that they'll support DNSSEC sometime in mid-2010. Basically DNSSEC for the masses doesn't seem to be there yet.

4 out of 5 Slashdot editors are complete failures

[Hurricane78]

This is what the subject line in my RSS reader (Thunderbird) just gave me:

4 Out of 5 of<nobr> <wbr></nobr>.gov Web Sites Miss DNSSEC Deadline

WTF? Are you writing this stuff in MS Word?
Because I constantly see this stupid shit. And no human would ever do something like that.