‹ Back
Deploy360 5 August 2014

InfoWorld: Why You Need To Deploy DNSSEC Now

Dan York
By Dan YorkDirector, Online Content

InfoWorld logoToday long-time DNS expert Cricket Liu came out with a good post on InfoWorld, “Why you need to deploy DNSSec now ” where he talks through

  • why you need DNSSEC
  • how it works, including a walk-through of the actual RRSIG record in DNS
  • human factors that delayed implementation
  • motivation for deploying DNSSEC (or lack thereof)
  • factors to consider for your infrastructure such as overhead

He had one intriguing point about a potential organization that could influence DNSSEC deployment:

There is one organization, however, that is in a surprisingly strong position to influence the uptake of DNSSec: the PCI Security Standards Council, responsible for the development of the PCI Data Security Standard and other standards governing the payment card industry. Longstanding rumors say the organization is considering requiring companies whose websites accept payment cards to use DNSSec to sign their zones in order to achieve PCI DSS compliance. Given how pervasive acceptance of credit cards is on major websites, such a requirement would have vast reach.

That rumor is interesting to hear and certainly something we’ll be exploring through various connections to learn more about what might be possible.

I was surprised, though, that Cricket did not mention what I see as one of the strongest motivations to deploy DNSSEC right now – the ability to then use the DANE protocol to provide an additional layer of trust to TLS and SSL certificates. As Andrew recently wrote, DANE has a great ability to increase the overall security of TLS/SSL certificates by ensuring that users are receiving the correct TLS certificates that you want them to be using.  We’re already seeing a great uptake in DANE / DNSSEC usage within the XMPP/Jabber community as well as within various email services as a way of authenticating mail servers and helping fight spam.

I also felt the article dealt a bit longer than needed on some of the past history of DNSSEC and some of the earlier issues that slowed deployment, rather than focusing on the fact that those obstacles have been overcome and the tools and solutions are MUCH easier now.

Overall, though, this is a good article and it’s good to have it out there on a widely-read site such as InfoWorld.

If you would like to get started with DNSSEC – because Cricket is right, the time to start is NOW! – please visit our “Start Here” page to find resources targeted for the type of role you have.  Or jump directly to our DNSSEC page and browse some of the links and information you find there.

See the discussion of this InfoWorld article on:


‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world