Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Half of .gov Sites Fail DNSSEC Test

Soulskill posted more than 3 years ago | from the moving-at-the-speed-of-government dept.

Government 34

netbuzz writes "US federal government Web sites were mandated to have begun deploying DNS Security Extensions (DNSSEC) by Dec. 31, 2009, but a recent check shows that 51 percent have still failed to do so. That does represent a marked increase over the 20 percent that had complied as of a year ago. 'But if you think the government should be fully deployed by now, it's a disappointing number,' says Mark Beckett, vice president of marketing and product management for Secure64, who conducted the study."

Sorry! There are no comments related to the filter you selected.

Hey, I've got an idea: (0, Offtopic)

Anonymous Coward | more than 3 years ago | (#35032354)

Hows about we put these guys in charge of maintaining all medical records in the U.S.? What could possibly go wrong?

Hello Slashvertisement (5, Insightful)

RingDev (879105) | more than 3 years ago | (#35032436)

Study performed by company that competes for government contracts to fix issues pointed out by said study finds that government should hire them.

-Rick

Re:Hello Slashvertisement (1, Flamebait)

Mouldy (1322581) | more than 3 years ago | (#35032618)

Who better to judge the state of affairs? Sure, this is probably just an attempt to drum up more sales - but that doesn't discount the fact that "Half of .gov Sites Fail DNSSEC Test".

Re:Hello Slashvertisement (1)

severoon (536737) | more than 3 years ago | (#35039668)

To anyone that thinks slashdot is rabidly anti-the man, I'd like to point out the restraint used on the title for this summary. It could have legitimately said, "Over half..." but went with the more restrained, "Half..."

Obama (-1)

Anonymous Coward | more than 3 years ago | (#35032902)

All talk...

Re:Hello Slashvertisement (2, Interesting)

hAckz0r (989977) | more than 3 years ago | (#35033240)

Likely true. But then history has shown that when the Government is embarrassingly hacked on a wide scale basis, due to the lack of DNS security, they will be dragged kicking a clawing into the 21st century. Sooner or later some clueless congressman submits a bill that "fixes" the problem where the 'problem' is not even understood much less 'defined' adequately. In the mean time those doing business over the internet will have moved forward so that they can protect their profits from man-in-the-middle attacks once the customers start taking them to court with class action suits. Sadly, this means you have to get screwed and then complain before things actually get better.

After that things will start to progress as defined by this thing called 'common sense'. Everybody knows it needs doing, its just that nobody wants to financially put the effort into DNSSEC or IPv6 until everyone else has done the hard work and they can simply sit back and flip some switch, or hire someone with years of experience with it that knows how to turn it on.

btw - If you use Firefox as a browser look into the "DNSSEC Validator" plugin and see just how many websites there are that you can really trust. Very few. Awareness is half the battle. Note the News story ITFA can not be trusted, as it could be hosted in North Korea as a propaganda campaign and we wouldn't know unless you have a way to check that it really is from 'NetworkWorld'. NetworkWorld's web site in not secured with DNSSEC, so who can tell. Why should we even assume the story is true if by extension we can't trust who wrote it?

Almost half pass! (2)

RingDev (879105) | more than 3 years ago | (#35033394)

Seeing as how DNSSEC is even less prevelent in non-government web sites, shouldn't we then be rejoicing that almost half of all government sites are passing? That the government sites are performoring so much better than non-government sites seems like a good sign that while DNSSEC hasn't been completely rolled out, the government is opperating ahead of the market and has easily measurable and enforcable goals to complete the process?

Yeah, I want to see 100% adaptation as well, but attacking the government as incompotent and then pointing out that they are beating the private sector adaptation rates sure seems like an endorsement of the feds' approach to DNSSEC implimentation over the free market implimentation approach.

-Rick

Re:Hello Slashvertisement (0)

Anonymous Coward | more than 3 years ago | (#35033332)

Network World contacted us last week for this go around.

And yes, it would be nice to have more business.

As if it was that easy... (0)

Anonymous Coward | more than 3 years ago | (#35032636)

Ya a work for a gouvernement, you can't imagine the test and procedure you need to follow to change a critical infrastructure like DNS to calm all the fearful. And you have to do all this while under staffed and overworked because consultant can't seem to do anything right.

Re:As if it was that easy... (1)

Anonymous Coward | more than 3 years ago | (#35033042)

I do work for a government agency, and you are wrong.

The problem is that too many of the full time employees have already retired (but haven't left), and the ones that haven't 'retired' want to make sure nothing changes so they can't be let go...

There is no need or requirement to keep "technically" educated, because through politics you can easily prevent change.

"under staffed and overworked" - what a joke; try overstaffed and under-motivated

black hole termination most popular story in US (-1)

Anonymous Coward | more than 3 years ago | (#35032694)

that's just so unlikely, like everything else we're being fed(up) with.

Comcast (-1, Offtopic)

jlechem (613317) | more than 3 years ago | (#35032908)

Hmmmm 6 MB my ass, more like 2.2. Is that what 60 bucks a month gets me? God I wish I had a choice but Qwest is my only other option. Goddamn Farmington (UT) wouldn't pick up Utopia.

Re:Comcast (1)

Anonymous Coward | more than 3 years ago | (#35033410)

Mod parent offtopic. Where's my damn mod points?

Gross (0)

jimmerz28 (1928616) | more than 3 years ago | (#35033196)

Democracy is slow? Hold on a minute now...

In my own experience 85% of the government websites I've visited looked about as good as their usability: disgusting.

Why pay to be secure? (0)

JustAnotherIdiot (1980292) | more than 3 years ago | (#35033368)

After all, wasting money on things like a pointless war overseas is way more important, right?

Like the old saying goes (-1, Redundant)

swmetallica (1981252) | more than 3 years ago | (#35033426)

"It's good enough for government work."

Study: 50% of .gov sites are actually honeypots (1)

b3x (586838) | more than 3 years ago | (#35033680)

Stimpy, whatever you do, don't touch the big red button!

Stop the presses: OMB mandate ignored! (3, Insightful)

mschaffer (97223) | more than 3 years ago | (#35033846)

Government agencies ignored an OMB mandate. This is not exactly news.

Re:Stop the presses: OMB mandate ignored! (2)

FurtiveGlancer (1274746) | more than 3 years ago | (#35038850)

There's an old saying in government: "A mandate without money is but a wish."

Cricket Liu on DNSSEC (3, Interesting)

RazzleDazzle (442937) | more than 3 years ago | (#35034132)

Coincidentally I was just yesterday at a DNSSEC seminar presented by Cricket Liu. While obscenely complicated compared to the more or less basic operation of a non-DNSSEC name server, it is super easy to (and really operationally required IMHO to) automate the entire DNSSEC part of DNS administration. Of course he showed his own employers DNS tool (he works for infoblox.com) but there are other choices and methods of automating and he did not really make it into a big sales pitch for his employer, just a simple screenshot showing its ease of use and a few minutes to describe it.

Anyways, I plan to start really investigating the deployment of DNSSEC now.

Re:Cricket Liu on DNSSEC (1)

characterZer0 (138196) | more than 3 years ago | (#35034446)

ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)

I eagerly await your demonstration of Power over Ethernet over Voice. (PoEoV).

Re:Cricket Liu on DNSSEC (1)

RazzleDazzle (442937) | more than 3 years ago | (#35064560)

PoEoV has been held up in the IETF draft process. The stupid skanks at the ITU-T won't back me until I get a major vendor like Cisco or Juniper involved. But Cisco won't talk to me unless I am willing to sell them my idea so they can name it CiscoVoice-E and Juniper wants to put it in their MX series but have an 18 month screening process before they will even beta it but wont formally adopt it without industry standardization (chicken-or-egg problem, hello!!) Perhaps The Onion will give me some good publicity and get some people interested, they are the ones who introduced me to my current religion after all: Fictionology. Nah nah nah nah nah nah nah nah, BATMAN...

Re:Cricket Liu on DNSSEC (2)

imikem (767509) | more than 3 years ago | (#35035750)

This was the presentation in Minneapolis? I was there too. I thought it was excellent, as was the food. I did wind up wearing a bunch of salad dressing on my shirtsleeve though.

DNSSEC needs to get implemented, and that soon. Of course when I hear the statistics on how many ancient unpatched servers are out there with recursion turned on for world+dog, I want to cry.

Re:Cricket Liu on DNSSEC (1)

RazzleDazzle (442937) | more than 3 years ago | (#35064518)

Yes in Minneapolis. The food was good but as a vegetarian the "meat" dish was something I passed on and then I was left hungry at the end. Not complaining though, free food and the presentation very efficiently articulated the overall situation. I wish I had asked a couple more questions that came to mind after I had already left: statusopinion of other non-DNSSEC enhancement technologies like DNSCURVE and secondly Cricket's opinion on DNSSEC proxy tools in general with one example being phreebird by Dan Kaminsky.

Confusing wording... (1)

GameMaster (148118) | more than 3 years ago | (#35034546)

Wow, talk about confusingly worded summary. If you're going to talk about how many sites have failed to pass the test, and then compare that to previous numbers, make sure that the second number is ALSO the percentage that FAILED and not the precentage that PASSED. At first I though it was saying that, last time, only 20% failed the test and was wondering why the OP seemed to be suggesting that 51% failure is better than 20% failure.

Re:Confusing wording... (0)

Anonymous Coward | more than 3 years ago | (#35034792)

Wow, talk about confusingly worded summary. If you're going to talk about how many sites have failed to pass the test, and then compare that to previous numbers, make sure that the second number is ALSO the percentage that FAILED and not the precentage that PASSED. At first I though it was saying that, last time, only 20% failed the test and was wondering why the OP seemed to be suggesting that 51% failure is better than 20% failure.

It's not confusing at all. If you're not paying attention, you might get confused... but if you have any reading comprehension it should be pretty clear what is being stated.

Re:Confusing wording... (1)

ocdscouter (1922930) | more than 3 years ago | (#35037362)

Wow, talk about confusingly worded summary. If you're going to talk about how many sites have failed to pass the test, and then compare that to previous numbers, make sure that the second number is ALSO the percentage that FAILED and not the precentage that PASSED. At first I though it was saying that, last time, only 20% failed the test and was wondering why the OP seemed to be suggesting that 51% failure is better than 20% failure.

It's not confusing at all. If you're not paying attention, you might get confused... but if you have any reading comprehension it should be pretty clear what is being stated.

You'd think the people that read a site (formerly?) billed as "News for Nerds" would appreciate the importance of Implicit vs. Explicit.

DNSSec is kinda hard (0)

Anonymous Coward | more than 3 years ago | (#35035002)

As an MCITP engineer, I can tell you that setting up DNSSec isn't exactly a click, click, finish type of thing. It requires a strong understanding DNSSec concepts and a high degree of technical skill. Don't believe me, download the deployment guide. Theres a lot of complex work that goes into setting up DNSSec. After all the work you put into getting it setup, then you have to administer it--which is another pain especially if you work with DNS records a lot.

27th Chaos Communication Congress (0)

Anonymous Coward | more than 3 years ago | (#35036456)

Perhaps this is a good thread to stir up some community discussion on last month's 27th Chaos Communication Congress presentation.
- Dan Bernstein hosted a talk, partially covering DNSSEC: http://www.vimeo.com/18417770
- Dan Kaminsky replied in defense of the protocol here: http://dankaminsky.com/2011/01/05/djb-ccc
What are the current arguements for and against implementing DNSSEC from other experts and the rest of us?

who gives a rat's ass about DNSSEC when... (0)

Anonymous Coward | more than 3 years ago | (#35038790)

... hundreds of government-owned computers from all over the world have been compromised by bad passwords, outdated and exploitable software, and a general lack of awareness.

My SSH and FTP servers get pounded on a daily basis by those machines. And before someone screams "change the port", why should I break RFC to avoid "spam"?

Anyone who actually cares about cache poisoning should set up better ACL's as to who can access your DNS server.

Big Deal (0)

Anonymous Coward | more than 3 years ago | (#35038862)

It's not like this will enhance security if this was done immediately. How many applications rely on this tech? Not many.

Half *not signed* not *failing* (2)

FliesLikeABrick (943848) | more than 3 years ago | (#35039570)

It looks like this really should be "Half of .gov sites are not signed, thus not in compliance with the mandate to deploy DNSSEC." Meaning "the sites cannot be validated because they're not signed" *not* meaning "people with validating resolvers can't get to these sites"

Re:Half *not signed* not *failing* (1)

marka63 (1237718) | more than 3 years ago | (#35048102)

No. It means they validate as insecure which means there was no cryptographic proof that the answers returned are good.

Now there have been broken configurations but they usually get fixed relatively quickly.

DNSSEC is a wate of time (0)

Anonymous Coward | more than 3 years ago | (#35046340)

DNSSEC is a joke, it does not prevent any form of DNS poisoning attacks nor does it do anything to secure the DNS from being hacked. All it does is secure that the domain is pointing to the correct DNS server. So unless your domain registrar is just THAT stupid, this is a totally useless technology.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?