November 27, 2012 archive

Yesterday BT’s Diamond IP group released their first DNSSEC Industry Survey Results that resulted from a survey of 120 participants from around the world in October 2012.  The key findings they report in the executive summary include:

• Only 13 per cent of respondents have deployed DNSSEC signed zones in production and another five per cent are in the process of deployment. Even fewer have configured their caching recursive servers for DNSSEC validation with eight per cent having production deployments and another nine per cent progressing in deployment.
• Despite modest deployments, nearly two-thirds of respondents agree or strongly agree that DNSSEC can provide organizational benefits and that DNSSEC technology is mature enough to deploy reliably. On the other hand, over half of respondents agreed that DNSSEC provides limited value until more validating resolvers are deployed, highlighting the “chicken and the egg” challenge for DNSSEC deployment.
• Respondents generally agreed but were a bit unsure about supplementing DNSSEC deployments with hardware security modules (HSMs) with nearly half being neutral and over a third agreeing.
• Leading obstacles to DNSSEC deployment were complexity of deployment and the inability to demonstrate a strong business case. Training issues and complexity of ongoing DNSSEC management caused concern as well.
• Because DNSSEC requires knowledge of both DNS and cryptography to some degree, education and training programs may help improve industry awareness of the operation, benefits, and administrative requirements for deploying and maintaining DNSSEC secured resolution.

Most all of which is much inline with what we’ve seen in our own research and in fact the latter two points were precisely why we created the Deploy360 Programms – to get that kind of deployment information and education more widely known so that we can get DNSSEC more widely deployed.

I was particularly interested in the results on page 5 that asked about the value of DNSSEC.  Some of the answers were interesting – and also point to areas in which we as an industry need to provide better information to help people understand the value.  The “Top obstacles to DNSSEC deployment” chart on page 6 also agreed quite well with what we’ve heard from others.

One interesting question I’d not seen asked on other surveys about DNSSEC was about who would be responsible for the company’s DNSSEC implementation (page 8), with an interesting split between the “DNS” and “security” groups, highlighting an additional internal management challenge that may get involved with deploying DNSSEC:

The division makes a good bit of sense in that DNSSEC is something that you could see being in the area of responsibility of either of those groups, depending upon whether the company/organization views it as primarily a DNS issue or a security issue.

There were a number of other interesting charts as well as a section at the end with the demographics behind the survey.

With any survey like this, you do have to consider the source and BT Diamond IP is a vendor of products related to DNS, DNSSEC and IPAM.  Having said that, though, the results are in line with what we’ve seen in other surveys and are a welcome contribution to the ongoing discussion around DNSSEC deployment.  I’d love to see more of these type of surveys coming out with data from other demographics, regions, etc.

Thanks to BT Diamond IP for doing this research and also for making it publicly available without requiring a registration form for access.