Home / News

Survey Finds “Complexity” as Most Common Challenge in Deploying DNSSEC

According to a recent survey conducted by the European Network and Information Security Agency (ENISA), 78% of service providers in Europe have plans to deploy DNSSEC within the next 3 years.

On the other hand, the study also found 22% have no plans to deploy DNSSEC in the next 3 years. The main reasons, according to those surveyed, are:

  • Lack of customer demand for the service
  • Cost of deployment and the on-going costs for running the service
  • Immaturity of the technology
  • Lack of requirement set to operators by National regulators

Additionally, service providers who are planning to deploy DNSSEC have expressed the following challenges as key barriers:

  • Problems with the complexity of Key Management and Key Rollovers.
  • Lack of supporting tools for Key Management as well as operational management of DNSSEC servers.
  • Problems with increased system complexity of DNSSEC servers. In this respect, it has also been noted that in some cases equipment vendors deliver unstable products for DNSSEC support.
  • Essential lack of key management policies as well as in a wider scope lack of information security policies with focus on DNSSEC and security management guidelines.
  • Lack of end user awareness on the benefits provided by DNSSEC and the security it provides.
  • There are no widely used applications that are supporting DNSSEC.
  • The root of the DNS is not signed. This breaks the hierarchy of DNS and Trust Entry points (Trust anchors) have to be configured to the recursive resolvers.
  • The distribution and update of the trust anchors is not standardised and there are no common policies and procedures yet in place.
  • There is lack of standardisation in the transfer of the key material from the child domains to their parents.
  • There is lack of tools notifying the user when the domain they are using is securely validated.
  • The inherent feature of DNSSEC for authenticated denial of existence allows an abuser to enumerate the contents of a zone. The adoption of a variation of the protocol, named NSEC3, by the product vendors is required.

The full report can be downloaded here (PDF). Background information available here.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com