Feds mandate DNSSEC; Internet techies yawn
February 24, 2011 | POSTED BY BRETT EDGAR IN SECURITY
The Office of Management and Budget (OMB) has issued a memo
directing all federal agencies to implement the DNSSEC (see, among others, RFC 4035
) extension by January 2009. Assuming all agencies follow this memo and implement it on all of their public-facing DNS servers, this could finally be the long awaited start to securing the last major flaw in the Internet infrastructure--name resolution.
Unfortunately, the benefits of DNSSEC are still many years in the future, even if the above change happens quickly. Why? Because the name resolution chain starts and ends with your operating system, and the next link in the chain from either end is your ISP's DNS servers. Neither of these likely support DNSSEC now. The user can't verify the authenticity of a DNS responder if the entire resolver chain doesn't support DNSSEC.
ISPs are unlikley to implement DNSSEC on their servers until end-user OSes support it, and end-user OSes are unlikely to support DNSSEC until ISP DNS servers do. Chicken, meet Egg. It might be reasonable to expect the default Linux resolvers to support DNSSEC soon, but Linux is a small part of the end-user market. Don't expect Windows to support it very soon, either.
And so the Internet techies yawn...