Feds are behind on DNSSEC -- and that's a good thing

Less than 40 percent of federal domains have deployed the secure version of DNS, but government is helping develop industry expertise by serving as a guinea pig

More than nine months ago, a mandate from the Office of Management and Budget required U.S. federal agencies to sign their domain names using the domain name system security extensions (DNSSEC). But a recent survey found that less than 40 percent of federal domains have managed to do so.

Another example of government inefficiency? Not necessarily so, says Rod Rasmussen, president of Internet Identity, the firm that conducted the survey of almost 3,000 government domains. Rasmussen expects the government to move much more quickly now that they have worked out a lot of the kinks in deployment.

[ InfoWorld's Ted Samson says the feds could save $1 trillion with smarter tech and practices. | Keep up on the day's tech news headlines with InfoWorld's Today's Headlines: Wrap Up newsletter. ]

"Once someone figures it out, it seems like you can sign everything," Rasmussen said. "Big chunks of the government domains should be signed all at once."

Rolling out DNSSEC is a complex process. As much as 7 percent of domains are causing problems, such as the mishandling of key-signing keys (KSKs), according to a government DNS expert. In addition, at least two vulnerabilities have been found in the software used to implement DNS and the secure extensions, leading to patches.

By serving as a guinea pig, the federal government is helping develop industry expertise. Most of the work is being done by contractors, which means the lessons learned during deployment are trickling out to the industry, Rasmussen said. For that reason, taking the extra time is not necessarily a bad thing.

"The government encountering the pain first is probably good, because it is learning process. When [the big DNS providers] go sign .com and .net, it will be easier to do," Rasmussen said.

Take note: Delays will likely become commonplace with all federal infrastructure rollouts. Along with the deployment of DNSSEC, the Obama administration's Chief Information Officer Vivek Kundra has mandated deadlines for the adoption of native IPv6, the next-generation addressing and routing scheme for the Internet, among government networks. By 2012 agencies must covert their external applications -- such as Web and email servers -- to IPv6 and 2014 for their internal client applications.

Unsurprisingly, experts have already predicted delays for that rollout.

This article, "Feds are behind on DNSSEC -- and that's a good thing," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.