After we published the results of the 2010 DNS Survey last year, I spoke with reporters from several technical magazines and web sites about what the numbers meant. Many asked how long I felt it would take until we saw widespread adoption of DNSSEC. The answer depends, of course, on how you define widespread, and frankly, I’m not sure any prediction I might hazard is particularly valuable. But in thinking about the question, I realized that I do believe strongly that 2011 is a make-or-break year for DNSSEC.
In just a couple of months, when VeriSign signs .com, nearly all of the major impediments to broad implementation of DNSSEC will be gone. The root zone and the three big gTLDs, .com, .net and .org, will have been signed. Many European ccTLDs have already been signed. Stable implementations of DNSSEC are available in multiple name servers, including recursive (BIND and Unbound) and authoritative (BIND and NSD). Commercial products, including Infoblox’s, support and simplify DNSSEC, too. Documentation on DNSSEC is widely available, in the form of presentations, RFCs, and even books.
And a wide variety of people and organizations have thrown their weight behind DNSSEC. Registries, including Nominet, SIDN, SWITCH, and VeriSign, are pushing DNSSEC. In addition to preaching the importance of DNSSEC, Dan Kaminsky released Phreebird, which he calls Zero Configuration DNSSEC: a DNSSEC proxy that can front-end any DNS server and supplement its responses with DNSSEC records. Vint Cerf and Steve Crocker are vocal in their support for DNSSEC.
If this isnt enough to spur substantial deployment of DNSSEC, there’s only regulation and litigation left.
Currently, only the U.S. Federal government is mandated to deploy DNSSEC. But that could change. Sens. Lieberman, Collins and Carper introduced a bill last year that would make the Department of Homeland Security responsible for protecting civi…. And a gentleman who attended an event I hosted last year in Chicago and is a member of a PCI working group said the organization is strongly considering requiring DNSSEC as a condition for PCI compliance.
Even more intimidating is the prospect of litigation. Given the lack of good excuses for not deploying DNSSEC, and the number of learned folks touting it as a best practice, those forgoing implementation are taking a risk. I think its simply a matter of time before some enterprising attorney decides to make a test case out of someone’s falling victim to a cache poisoning attack, and — looking for deep pockets — goes after the bank/online merchant/brokerage that didn’t care enough about their customers to sign their zone and the ISP that didn’t care enough to validate signed responses.
Maybe its naive of me to hope that we can do the right thing and deploy DNSSEC using only carrots and no sticks, but I still believe we can.