Top level domain authorities will begin implementing DNSSEC (Domain Name System Security Extensions) on May 5, 2010 and there are implications for virtually all enterprise IT departments. The requirements and changes were published in 2005 via RFCs 4033, 4034 and 4035. The details of those RFCs can be found at:

These changes were triggered by a paper that examined specific threats/vulnerabilities to the Domain Name System: RFC 3833 “Threat Analysis of the Domain Name System (DNS).”

Related Content


  • Missing comment
    Sam Currie | 05-05-2010

    I'm really disappointed in this article. It is FUD. I expect a much higher level of integrity from Info-Tech and I'm greatly disappointed.

    Firstly, most of the root servers have already been running DNSSEC. The last server is scheduled to have DNSSEC enabled today, 05/05.

    Secondly, your DNS client will only receive a DNSSEC signed response if your client is configured to request it.

    Yes, DNSSEC does need to be evaluated, especially for new server installations to achievegreater security.

    Having said that, apparently some versions of BIND by default perform signed requests. So if you are operating BIND behind a firewall, you should review it. Though I imagine this would only effect BIND operating in a recursive DNS role.


    • Bd93a6862d4cad3b593d8f42f6d242ef comment
      Info-Tech Research Group | 10-21-2011

      Thank you for your feedback, Sam. We always like hearing from our clients, even if we may not be in complete agreement. In this case we would argue that the last thing we’re trying to do is generate FUD. On the contrary, we were very conscious of that potential perception and deliberately focused on just making clients aware of the situation and some of the possible ramifications. In fact, the focus of the brief is really around informing people that DNSSEC is rolling out and encouraging people to do some testing to see how it might affect them. Specifically, here are our thoughts:

      We provide an overview of the situation and explain what IT leaders need to do. We don’t claim the Internet is going to fail or break, but we do believe it will likely slow for many enterprises since the larger responses will cause a TCP retry.

      Most of the root servers have not been running DNSSEC previously. Some indeed have in certain countries. There has also been some authoritative DNS ‘testing’. However, VeriSign, for example, has not been running DNSSEC previously. More specifically VeriSign made changes on March 1, 2010 to authoritative name servers for .com, .net and .edu zones as a ‘prerequisite’ for deploying DNSSEC into those zones in 2010. (see: DNS Behavior Changes from Verisign Inc.) . Their complete rollout strategy document can be found here.

      Finally, the research brief focuses specifically on the issues related to Microsoft infrastructure within enterprises. This is where most of the problems are going to occur.


Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019