Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of .gov Sites Fail DNSSEC Test

Posted by Soulskill on from the moving-at-the-speed-of-government dept.

netbuzz writes "US federal government Web sites were mandated to have begun deploying DNS Security Extensions (DNSSEC) by Dec. 31, 2009, but a recent check shows that 51 percent have still failed to do so. That does represent a marked increase over the 20 percent that had complied as of a year ago. 'But if you think the government should be fully deployed by now, it's a disappointing number,' says Mark Beckett, vice president of marketing and product management for Secure64, who conducted the study."

8 of 34 comments (clear)

  1. Hello Slashvertisement by RingDev · · Score: 5, Insightful

    Study performed by company that competes for government contracts to fix issues pointed out by said study finds that government should hire them.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
    1. Re:Hello Slashvertisement by hAckz0r · · Score: 2, Interesting
      Likely true. But then history has shown that when the Government is embarrassingly hacked on a wide scale basis, due to the lack of DNS security, they will be dragged kicking a clawing into the 21st century. Sooner or later some clueless congressman submits a bill that "fixes" the problem where the 'problem' is not even understood much less 'defined' adequately. In the mean time those doing business over the internet will have moved forward so that they can protect their profits from man-in-the-middle attacks once the customers start taking them to court with class action suits. Sadly, this means you have to get screwed and then complain before things actually get better.

      After that things will start to progress as defined by this thing called 'common sense'. Everybody knows it needs doing, its just that nobody wants to financially put the effort into DNSSEC or IPv6 until everyone else has done the hard work and they can simply sit back and flip some switch, or hire someone with years of experience with it that knows how to turn it on.

      btw - If you use Firefox as a browser look into the "DNSSEC Validator" plugin and see just how many websites there are that you can really trust. Very few. Awareness is half the battle. Note the News story ITFA can not be trusted, as it could be hosted in North Korea as a propaganda campaign and we wouldn't know unless you have a way to check that it really is from 'NetworkWorld'. NetworkWorld's web site in not secured with DNSSEC, so who can tell. Why should we even assume the story is true if by extension we can't trust who wrote it?

  2. Almost half pass! by RingDev · · Score: 2

    Seeing as how DNSSEC is even less prevelent in non-government web sites, shouldn't we then be rejoicing that almost half of all government sites are passing? That the government sites are performoring so much better than non-government sites seems like a good sign that while DNSSEC hasn't been completely rolled out, the government is opperating ahead of the market and has easily measurable and enforcable goals to complete the process?

    Yeah, I want to see 100% adaptation as well, but attacking the government as incompotent and then pointing out that they are beating the private sector adaptation rates sure seems like an endorsement of the feds' approach to DNSSEC implimentation over the free market implimentation approach.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  3. Stop the presses: OMB mandate ignored! by mschaffer · · Score: 3, Insightful

    Government agencies ignored an OMB mandate. This is not exactly news.

  4. Cricket Liu on DNSSEC by RazzleDazzle · · Score: 3, Interesting

    Coincidentally I was just yesterday at a DNSSEC seminar presented by Cricket Liu. While obscenely complicated compared to the more or less basic operation of a non-DNSSEC name server, it is super easy to (and really operationally required IMHO to) automate the entire DNSSEC part of DNS administration. Of course he showed his own employers DNS tool (he works for infoblox.com) but there are other choices and methods of automating and he did not really make it into a big sales pitch for his employer, just a simple screenshot showing its ease of use and a few minutes to describe it.

    Anyways, I plan to start really investigating the deployment of DNSSEC now.

    --
    ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
    1. Re:Cricket Liu on DNSSEC by imikem · · Score: 2

      This was the presentation in Minneapolis? I was there too. I thought it was excellent, as was the food. I did wind up wearing a bunch of salad dressing on my shirtsleeve though.

      DNSSEC needs to get implemented, and that soon. Of course when I hear the statistics on how many ancient unpatched servers are out there with recursion turned on for world+dog, I want to cry.

      --
      Perscriptio in manibus tabellariorum est.
  5. Re:Stop the presses: OMB mandate ignored! by FurtiveGlancer · · Score: 2

    There's an old saying in government: "A mandate without money is but a wish."

    --
    Invenio via vel creo
  6. Half *not signed* not *failing* by FliesLikeABrick · · Score: 2

    It looks like this really should be "Half of .gov sites are not signed, thus not in compliance with the mandate to deploy DNSSEC." Meaning "the sites cannot be validated because they're not signed" *not* meaning "people with validating resolvers can't get to these sites"