Slashdot Mirror
Half of .gov Sites Fail DNSSEC Test
netbuzz writes "US federal government Web sites were mandated to have begun deploying DNS Security Extensions (DNSSEC) by Dec. 31, 2009, but a recent check shows that 51 percent have still failed to do so. That does represent a marked increase over the 20 percent that had complied as of a year ago. 'But if you think the government should be fully deployed by now, it's a disappointing number,' says Mark Beckett, vice president of marketing and product management for Secure64, who conducted the study."
Hows about we put these guys in charge of maintaining all medical records in the U.S.? What could possibly go wrong?
Study performed by company that competes for government contracts to fix issues pointed out by said study finds that government should hire them.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Ya a work for a gouvernement, you can't imagine the test and procedure you need to follow to change a critical infrastructure like DNS to calm all the fearful. And you have to do all this while under staffed and overworked because consultant can't seem to do anything right.
Democracy is slow? Hold on a minute now...
In my own experience 85% of the government websites I've visited looked about as good as their usability: disgusting.
After all, wasting money on things like a pointless war overseas is way more important, right?
What do I know, I'm just an idiot, right?
Seeing as how DNSSEC is even less prevelent in non-government web sites, shouldn't we then be rejoicing that almost half of all government sites are passing? That the government sites are performoring so much better than non-government sites seems like a good sign that while DNSSEC hasn't been completely rolled out, the government is opperating ahead of the market and has easily measurable and enforcable goals to complete the process?
Yeah, I want to see 100% adaptation as well, but attacking the government as incompotent and then pointing out that they are beating the private sector adaptation rates sure seems like an endorsement of the feds' approach to DNSSEC implimentation over the free market implimentation approach.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Mod parent offtopic. Where's my damn mod points?
Stimpy, whatever you do, don't touch the big red button!
Government agencies ignored an OMB mandate. This is not exactly news.
Coincidentally I was just yesterday at a DNSSEC seminar presented by Cricket Liu. While obscenely complicated compared to the more or less basic operation of a non-DNSSEC name server, it is super easy to (and really operationally required IMHO to) automate the entire DNSSEC part of DNS administration. Of course he showed his own employers DNS tool (he works for infoblox.com) but there are other choices and methods of automating and he did not really make it into a big sales pitch for his employer, just a simple screenshot showing its ease of use and a few minutes to describe it.
Anyways, I plan to start really investigating the deployment of DNSSEC now.
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
Wow, talk about confusingly worded summary. If you're going to talk about how many sites have failed to pass the test, and then compare that to previous numbers, make sure that the second number is ALSO the percentage that FAILED and not the precentage that PASSED. At first I though it was saying that, last time, only 20% failed the test and was wondering why the OP seemed to be suggesting that 51% failure is better than 20% failure.
Rules of Conduct:
#1 - The DM is always right.
#2 - If the DM is wrong, see rule #1
As an MCITP engineer, I can tell you that setting up DNSSec isn't exactly a click, click, finish type of thing. It requires a strong understanding DNSSec concepts and a high degree of technical skill. Don't believe me, download the deployment guide. Theres a lot of complex work that goes into setting up DNSSec. After all the work you put into getting it setup, then you have to administer it--which is another pain especially if you work with DNS records a lot.
Perhaps this is a good thread to stir up some community discussion on last month's 27th Chaos Communication Congress presentation.
- Dan Bernstein hosted a talk, partially covering DNSSEC: http://www.vimeo.com/18417770
- Dan Kaminsky replied in defense of the protocol here: http://dankaminsky.com/2011/01/05/djb-ccc
What are the current arguements for and against implementing DNSSEC from other experts and the rest of us?
... hundreds of government-owned computers from all over the world have been compromised by bad passwords, outdated and exploitable software, and a general lack of awareness.
My SSH and FTP servers get pounded on a daily basis by those machines. And before someone screams "change the port", why should I break RFC to avoid "spam"?
Anyone who actually cares about cache poisoning should set up better ACL's as to who can access your DNS server.
There's an old saying in government: "A mandate without money is but a wish."
Invenio via vel creo
It's not like this will enhance security if this was done immediately. How many applications rely on this tech? Not many.
It looks like this really should be "Half of .gov sites are not signed, thus not in compliance with the mandate to deploy DNSSEC." Meaning "the sites cannot be validated because they're not signed" *not* meaning "people with validating resolvers can't get to these sites"
DNSSEC is a joke, it does not prevent any form of DNS poisoning attacks nor does it do anything to secure the DNS from being hacked. All it does is secure that the domain is pointing to the correct DNS server. So unless your domain registrar is just THAT stupid, this is a totally useless technology.