If DNS Security Extension (DNSSEC) is so “GREAT” why don’t the largest domains on the internet use it? (google.com, Tumblr.com, Twitter.com, Facebook.com….)
There are a number of different possible reasons many of the largest domains on the internet have not chosen to implement DNSSEC yet. I have no doubt that every single on of the organizations owning the largest domains on the internet have discussed implementation of DNSSEC at length. Discussion points resulting in no action in lieu of full implementation likely vary based on organization, risk assessments, etc. One possible answer is likely that while DNSSEC provides added security benefits, incorrect implementation of DNSSEC can cause catastrophic resolution problems and extended downtime for domains.
In the early days of DNS protocol, would be attackers began using unauthenticated zone transfer methods, enabling them to take control of domains pointing them to servers under the attacker’s control. Attacks of this nature still exist today in one form or another. Believe it or not, there was actually a recent attack just weeks ago in the news, attackers used similar methods rooted from these early DNS exploits. DNSSEC strives to curtail such attacks using security layers and authentication methods to verify zone integrity.
DNSSEC uses authentication keys to sign DNS zones and validate query responses. This is much like an individual signing a credit card to verify identity and the cashier checking the signature against an ID. Key creation, rotation, and verification for Key Signing Keys and Zone Signing Keys must be implemented in such a way as to insure automated transitioning to new keys and that valid keys exist on authoritative name servers as well as the TLD name servers at all times. Failing to maintain these processes correctly can cause major DNS resolution problems.
Overall, if your organization is considering implementing DNSSEC, assess the strengths and shortcomings with an outsourced DNS provider. DNSSEC alone lacks transport layer protection, DDoS mitigation, and identity verification; these are best protected with outsourced DNS services. Thanks for reading!
Also published on Medium.