Tuesday, December 16, 2014

DNSSEC Survey Report

BT Diamond IP just published its latest report detailing results of its DNSSEC industry survey, conducted in November, 2014. This year’s survey yielded strong participation from active DNSSEC deployers, meaning those who have already deployed or are deploying DNSSEC. While not likely representative of overall industry deployment status, opinions regarding complexity and business case as obstacles and lack of interest in high security module (HSM) appliances for private key storage prove insightful.

Among the key findings of the survey:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

The survey report documents participants' opinions about the level of concern for securing DNS via DNSSEC, their stage of DNSSEC deployment if any, the perceived value of DNSSEC, deployment obstacles, other DNS security concerns, which groups internally are responsible for DNSSEC management, and even which DNSSEC vendor implementations respondents use.

The full report is available in pdf format at http://www.globalservices.bt.com/static/assets/pdf/products/diamond_ip/BT-Diamond-IP-2014-DNSSEC-Survey.pdf.

If you have any comments regarding the report please don't hesitate to contact me.