Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Government Networking Security United States IT

Half of .gov Sites Fail DNSSEC Test 34

netbuzz writes "US federal government Web sites were mandated to have begun deploying DNS Security Extensions (DNSSEC) by Dec. 31, 2009, but a recent check shows that 51 percent have still failed to do so. That does represent a marked increase over the 20 percent that had complied as of a year ago. 'But if you think the government should be fully deployed by now, it's a disappointing number,' says Mark Beckett, vice president of marketing and product management for Secure64, who conducted the study."
This discussion has been archived. No new comments can be posted.

Half of .gov Sites Fail DNSSEC Test

Comments Filter:
  • by RingDev ( 879105 ) on Friday January 28, 2011 @11:18AM (#35032436) Homepage Journal

    Study performed by company that competes for government contracts to fix issues pointed out by said study finds that government should hire them.


    • Re: (Score:1, Flamebait)

      by Mouldy ( 1322581 )
      Who better to judge the state of affairs? Sure, this is probably just an attempt to drum up more sales - but that doesn't discount the fact that "Half of .gov Sites Fail DNSSEC Test".
      • To anyone that thinks slashdot is rabidly anti-the man, I'd like to point out the restraint used on the title for this summary. It could have legitimately said, "Over half..." but went with the more restrained, "Half..."
    • Re: (Score:3, Interesting)

      by hAckz0r ( 989977 )
      Likely true. But then history has shown that when the Government is embarrassingly hacked on a wide scale basis, due to the lack of DNS security, they will be dragged kicking a clawing into the 21st century. Sooner or later some clueless congressman submits a bill that "fixes" the problem where the 'problem' is not even understood much less 'defined' adequately. In the mean time those doing business over the internet will have moved forward so that they can protect their profits from man-in-the-middle attac
      • Seeing as how DNSSEC is even less prevelent in non-government web sites, shouldn't we then be rejoicing that almost half of all government sites are passing? That the government sites are performoring so much better than non-government sites seems like a good sign that while DNSSEC hasn't been completely rolled out, the government is opperating ahead of the market and has easily measurable and enforcable goals to complete the process?

        Yeah, I want to see 100% adaptation as well, but attacking the government

  • by mschaffer ( 97223 ) on Friday January 28, 2011 @12:44PM (#35033846)

    Government agencies ignored an OMB mandate. This is not exactly news.

  • by RazzleDazzle ( 442937 ) on Friday January 28, 2011 @01:02PM (#35034132) Journal

    Coincidentally I was just yesterday at a DNSSEC seminar presented by Cricket Liu. While obscenely complicated compared to the more or less basic operation of a non-DNSSEC name server, it is super easy to (and really operationally required IMHO to) automate the entire DNSSEC part of DNS administration. Of course he showed his own employers DNS tool (he works for infoblox.com) but there are other choices and methods of automating and he did not really make it into a big sales pitch for his employer, just a simple screenshot showing its ease of use and a few minutes to describe it.

    Anyways, I plan to start really investigating the deployment of DNSSEC now.

    • ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)

      I eagerly await your demonstration of Power over Ethernet over Voice. (PoEoV).

      • PoEoV has been held up in the IETF draft process. The stupid skanks at the ITU-T won't back me until I get a major vendor like Cisco or Juniper involved. But Cisco won't talk to me unless I am willing to sell them my idea so they can name it CiscoVoice-E and Juniper wants to put it in their MX series but have an 18 month screening process before they will even beta it but wont formally adopt it without industry standardization (chicken-or-egg problem, hello!!) Perhaps The Onion will give me some good public

    • by imikem ( 767509 )

      This was the presentation in Minneapolis? I was there too. I thought it was excellent, as was the food. I did wind up wearing a bunch of salad dressing on my shirtsleeve though.

      DNSSEC needs to get implemented, and that soon. Of course when I hear the statistics on how many ancient unpatched servers are out there with recursion turned on for world+dog, I want to cry.

      • Yes in Minneapolis. The food was good but as a vegetarian the "meat" dish was something I passed on and then I was left hungry at the end. Not complaining though, free food and the presentation very efficiently articulated the overall situation. I wish I had asked a couple more questions that came to mind after I had already left: statusopinion of other non-DNSSEC enhancement technologies like DNSCURVE and secondly Cricket's opinion on DNSSEC proxy tools in general with one example being phreebird by Dan Ka

  • Wow, talk about confusingly worded summary. If you're going to talk about how many sites have failed to pass the test, and then compare that to previous numbers, make sure that the second number is ALSO the percentage that FAILED and not the precentage that PASSED. At first I though it was saying that, last time, only 20% failed the test and was wondering why the OP seemed to be suggesting that 51% failure is better than 20% failure.

  • by FliesLikeABrick ( 943848 ) <ryan@u13.net> on Friday January 28, 2011 @08:05PM (#35039570)
    It looks like this really should be "Half of .gov sites are not signed, thus not in compliance with the mandate to deploy DNSSEC." Meaning "the sites cannot be validated because they're not signed" *not* meaning "people with validating resolvers can't get to these sites"
    • No. It means they validate as insecure which means there was no cryptographic proof that the answers returned are good.

      Now there have been broken configurations but they usually get fixed relatively quickly.

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.