Slashdot Mirror

← Back to Stories (view on slashdot.org)

80% of .gov Web Sites Miss DNSSEC Deadline

Posted by kdawson on from the not-a-priority dept.

netbuzz writes "Eighty percent of US federal agencies — including the Department of Homeland Security — have missed a deadline to deploy DNS Security Extensions, a new authentication mechanism designed to prevent hackers from hijacking Web traffic. The deadline that whooshed by was Dec. 31, 2009. Experts disagree as to whether this level of deployment represents a failure or reasonable progress toward meeting a mandate set by the Office of Management and Budget in the summer of 2008. OMB officials declined to say why the agency hasn't enforced the DNSSEC deadline for executive branch departments."

7 of 79 comments (clear)

  1. Re:I'm not a huge fan of DHS either by Sir_Lewk · · Score: 4, Insightful

    The reason why the DHS gets more attention here than other departments is because they are the Department of Homeland Security. The importance of irony when ridiculing the government is not to be overlooked.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  2. That's nothing by Monkeedude1212 · · Score: 3, Funny

    Rumour has it All Canadian governments open TCP/UDP ports 2 through 65535.

    The first one is the reserved emergency port for the Prime Minister to escape in the case of a national emergency. We tried to explain to him that's not how it works but... You know politicians...

  3. Re:I'm not a huge fan of DHS either by tiberus · · Score: 3, Insightful

    First, let's hope it's a reason and not an excuse...
    Second, Security through obscurity is no security at all or No security through obscurity.

  4. Good... by nweaver · · Score: 4, Interesting

    DNSSEC still has some serious problems. EG, in our preliminary analysis, a shockingly large number of Netalyzr users are behind DNS resolvers that can't handle fragmented traffic. Yet a large number are behind resolvers that do request DNSSEC data.

    Since DNSSEC replies are often large (and can easily be over the 1500B response limit), turning on DNSSEC could very well mysteriously slow down DNS by causing large timeouts as the UDP reply fails to arrive and the DNS resolver, after a long timeout, then resorts to a TCP connection, even when the signatures are not validated, simply because there are a lot of resolvers that request DNSSEC but actually can't handle large replies.

    http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg01513.html

    --
    Test your net with Netalyzr
  5. Re:of course by Archangel+Michael · · Score: 3, Insightful

    1) Yeah? And?

    2) IT wasn't unrealistic.

    How long does it take to implement?

    1) Get deadline
    2) Start product evaluations
    3) Pick Product(s)
    4) Implement Product
    5) Write Howto: for all the idiots out there

    If we use 3 Months (1/4 year) for each step, we're looking at 1 year, three months to implement, including figuring out time lines for implementation.

    Once you start rolling out, you cookie cutter as much as you can, so you have easy, consistent configurations and implementations.

    I don't get why it takes so long.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  6. No mention of the .dov registrar mistakes by Anonymous Coward · · Score: 3, Informative

    I am the DNS admin of a federal agency. We signed two of our domains, and twice had .gov delete the keys that allowed the domains to be trusted. We then got the run-around and were lied to by the .gov admin. My management and I are now afraid to make any further progress implementing DNSSEC because .gov has made so many mistakes. It is better to be unsigned than to be signed and have the trust keys be incorrect.

    Additionally, the tools to implement DNSSEC are non-trivial. A federal agency or Fortune 500 can afford to buy a Secure64 Signer. Looking forward to when I want to sign my personal domains (in .org and .com), the tools have to become much simpler and much more automated.

  7. I manage DNS for a .gov by snsh · · Score: 3, Informative

    I manage a .gov domain for a non-federal entity. Last year I pursued DNSSEC and hosted DNS to improve availability and diversity over our on-premise DNS. Windows DNS and BIND seemed okay for DNSSEC secondaries, but signing and key rollover are high-maintenance. Maybe in the near future that will change. There are appliances I could buy for $10-20k to manage master zones and do DNSSEC, but they were out of budget. I worked with a hosted provider (dynect) for DNSSEC singing with .GOV, but that turned out to be out of budget too. So eventually I just settled on dnsmadeeasy for nominal cost, with anticipation that they'll support DNSSEC sometime in mid-2010. Basically DNSSEC for the masses doesn't seem to be there yet.