dslreports logo
site
spacer

spacer
 
   
spc
story category
Few ISPs, Companies Deployed DNSSEC Upgrades
Comcast Took The Lead, But Few Followed
by Karl Bode 04:57PM Tuesday Jan 29 2013
DNSSEC is a flavor of security that allows both sites and providers to validate domain names to make sure they're correct and not tampered with, and is supposed to help combat things like DNS cache "poisoning" and phishing scams. While some ISPs like Comcast have made great efforts to get DNSSEC deployed, most ISPs and companies are lagging far behind. Nearly five years after the "Kaminsky Bug" vulnerability in DNS was discovered, very few companies have deployed DNSSEC.

Why? Akamai's chief security officer Andy Ellis explains to Network World:
quote:
Ellis says U.S. companies responded to the disclosure of the Kaminsky flaw by patching their DNS software with easy workarounds rather than taking the time to deploy DNSSEC, which is a more complete but also a more complex solution. "I don't think the Kaminsky flaw is that big of an issue right now," Ellis says. "DNSSEC doesn't solve the problems that are very real to [U.S. companies] ... like rolling denial of service attacks and phishing-based fraud. That's where we see a lot more of their time and energy being spent."
You do wonder how many companies just didn't bother because they didn't want to pay for it. Comcast is quoted in the piece as saying their deployment of DNSSEC was complicated, but they've seen few issues with the deployment. On the ISP side, some carriers might have been swayed by the fact that installing DNSSEC "breaks" domain redirection ad systems that generate revenue by directing users to an ad-laden ISP-run search portal when they misspell or enter a nonexistent URL.

view:
topics flat nest 

whfsdude
Premium
join:2003-04-05
Washington, DC

1 recommendation

Comcast's IPv6 Efforts

Almost the exact same can be said for IPv6.

Camaro
Question everything
Premium
join:2008-04-05
Westfield, MA
kudos:1

3 recommendations

Re: Comcast's IPv6 Efforts

Yea have to give them credit where credit is due for both upgrades to there network.

FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

2 edits

1 recommendation

said by whfsdude:

Almost the exact same can be said for IPv6.

I see IPV6 addresses for various Google web sites; Facebook; Netflix; comcast.net; Bing; Yahoo; etc on my Comcast internet service. But a little disappointing- almost all tech web sites(incl dslreports, cnet, AllThingsD, Apple, Amazon, etc) are still IPV4 only.
--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.
Oedipus

join:2005-05-09
kudos:1

CGN

Is AT&T still planning on doing CGN/large scale NAT for their Uverse customers? Seems like a sweet way to earn some extra money by charging people for a public IP, static or not.

You can't monetize ipv6, of course.

battleop

join:2005-09-28
00000

1 recommendation

Here is the real reason...

"I don't think the Kaminsky flaw is that big of an issue right now," Ellis says"

This is is why DNSSEC and IPv6 are not on the front burner. Neither will pose a real problem anytime soon.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

2 recommendations

Re: Here is the real reason...

said by battleop:

This is is why DNSSEC and IPv6 are not on the front burner. Neither will pose a real problem anytime soon.

Define problem. We have been facing the v4 problem for years. These silly home NAT gateways can't pass protocols like SCTP (I like end-user multihoming - eg. roaming between WiFi AP and something else).

Mobile apps just plain suck when it comes to connectivity because an app dev has to assume multiple layers of NAT between user equipment and their servers.

RIPE and APNIC are both exhausted. Consumers in those countries will face higher prices as a market develops for IPv4 addresses. You will end up with lots of users shoved behind CGN which poses a number of problems.

(ARIN will real phase 4 this year - »www.arin.net/resources/request/i···own.html )

The failure of IPv6 hasn't been a lack of problems with IPv4, but a failure to communicate those problems to end-users.
Rekrul

join:2007-04-21
Milford, CT

1 recommendation

Re: Here is the real reason...

said by whfsdude:

Define problem. We have been facing the v4 problem for years. These silly home NAT gateways can't pass protocols like SCTP (I like end-user multihoming - eg. roaming between WiFi AP and something else).

said by whfsdude:

The failure of IPv6 hasn't been a lack of problems with IPv4, but a failure to communicate those problems to end-users.

Companies always wait until an issue starts causing them problems, then they look for the absolute quickest, cheapest work-around that they can find, which will allow them to keep doing things the way they've always done them. It's not until the work-arounds no longer work and the issue is starting to actually cost them money that they try to implement a real fix. This is then fraught with problems, and garners a lot of bad PR and ill will as they use their customers as beta testers. Meanwhile, the companies beg people to have patience because this is an issue that they "haven't had adequate time to prepare for!"

It's the corporate way.