Today long-time DNS expert Cricket Liu came out with a good post on InfoWorld, “Why you need to deploy DNSSec now ” where he talks through
- why you need DNSSEC
- how it works, including a walk-through of the actual RRSIG record in DNS
- human factors that delayed implementation
- motivation for deploying DNSSEC (or lack thereof)
- factors to consider for your infrastructure such as overhead
He had one intriguing point about a potential organization that could influence DNSSEC deployment:
There is one organization, however, that is in a surprisingly strong position to influence the uptake of DNSSec: the PCI Security Standards Council, responsible for the development of the PCI Data Security Standard and other standards governing the payment card industry. Longstanding rumors say the organization is considering requiring companies whose websites accept payment cards to use DNSSec to sign their zones in order to achieve PCI DSS compliance. Given how pervasive acceptance of credit cards is on major websites, such a requirement would have vast reach.
That rumor is interesting to hear and certainly something we’ll be exploring through various connections to learn more about what might be possible.
I was surprised, though, that Cricket did not mention what I see as one of the strongest motivations to deploy DNSSEC right now – the ability to then use the DANE protocol to provide an additional layer of trust to TLS and SSL certificates. As Andrew recently wrote, DANE has a great ability to increase the overall security of TLS/SSL certificates by ensuring that users are receiving the correct TLS certificates that you want them to be using. We’re already seeing a great uptake in DANE / DNSSEC usage within the XMPP/Jabber community as well as within various email services as a way of authenticating mail servers and helping fight spam.
I also felt the article dealt a bit longer than needed on some of the past history of DNSSEC and some of the earlier issues that slowed deployment, rather than focusing on the fact that those obstacles have been overcome and the tools and solutions are MUCH easier now.
Overall, though, this is a good article and it’s good to have it out there on a widely-read site such as InfoWorld.
If you would like to get started with DNSSEC – because Cricket is right, the time to start is NOW! – please visit our “Start Here” page to find resources targeted for the type of role you have. Or jump directly to our DNSSEC page and browse some of the links and information you find there.
See the discussion of this InfoWorld article on: