80% of .gov Web Sites Miss DNSSEC Deadline

netbuzz writes "Eighty percent of US federal agencies — including the Department of Homeland Security — have missed a deadline to deploy DNS Security Extensions, a new authentication mechanism designed to prevent hackers from hijacking Web traffic. The deadline that whooshed by was Dec. 31, 2009. Experts disagree as to whether this level of deployment represents a failure or reasonable progress toward meeting a mandate set by the Office of Management and Budget in the summer of 2008. OMB officials declined to say why the agency hasn't enforced the DNSSEC deadline for executive branch departments."

Re:I'm not a huge fan of DHS either

[Sir_Lewk]

The reason why the DHS gets more attention here than other departments is because they are the Department of Homeland Security. The importance of irony when ridiculing the government is not to be overlooked.

Good...

[nweaver]

DNSSEC still has some serious problems. EG, in our preliminary analysis, a shockingly large number of Netalyzr users are behind DNS resolvers that can't handle fragmented traffic. Yet a large number are behind resolvers that do request DNSSEC data.

Since DNSSEC replies are often large (and can easily be over the 1500B response limit), turning on DNSSEC could very well mysteriously slow down DNS by causing large timeouts as the UDP reply fails to arrive and the DNS resolver, after a long timeout, then resorts to a TCP connection, even when the signatures are not validated, simply because there are a lot of resolvers that request DNSSEC but actually can't handle large replies.

http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg01513.html