Many CircleID readers have been watching the acceleration of DNSSEC adoption by top level domains with great interest, and after many years the promise of a secure and trustworthy naming infrastructure across the generic and country-code domains finally seems within reach.

While TLD DNSSEC deployments are major milestones for internet security, securing the top level domains is not the end goal—just a necessary step in the process. To truly protect against the most likely threats, DNSSEC must be adopted not only by TLDs, but also by the domain name registrants themselves.

Registrants like banks, government agencies, retailers, and other organizations that represent attractive targets for criminals or hostile nation-states stand to benefit the most by deploying DNSSEC across the domains that they own. Adoption of DNSSEC by these types of organizations is an important measure of the success of DNSSEC in achieving its primary goal: to ensure that the integrity of the internet’s naming system cannot be compromised.

For the past several years, Secure64’s technical team has conducted a series of studies to measure DNSSEC adoption by key groups of organizations. In the wake of a US federal government mandate that all federal agencies must adopt DNSSEC by the end of 2009, we decided to measured the progress that was being made, and publicly reported adoption rates of 20%, 49% and 57% in 2010, 2011 and 2012, respectively. However, adoption outside of the large top level domains and the US government has been slow.

In mid-2010, we were encouraged by a Forrester Research study of almost 300 IT decision makers around the world indicating that 43% of the respondents had heard of DNSSEC, and of these, 95% had already implemented or had plans to implement it within 18 months. This survey focused on those industries most likely to benefit from the security that DNSSEC provides, including financial services, public sector, ISPs, media/entertainment/leisure, online commerce and other organizations with a significant online presence. Now, over two years later, we decided to follow up on this survey, focusing on the financial services sector, to see if these plans have come to fruition.

We used the Forbes Global 2000 list of public companies as our starting point, honing that list down to 293 organizations in the financial services sector. We then queried the domain names of each of these organizations, looking for two pieces of evidence of DNSSEC deployment—signatures published at the organization’s domain and a chain of trust to its parent domain.

The results were both surprising and disappointing. Of these 293 organizations, only one was publishing signatures on its domain, but that one organization had not established a chain of trust to its parent, so there is little likelihood that it is benefiting from the protection that DNSSEC can provide.

Given these surprising results compared to the attitudes reflected in the previous Forrester survey, we looked for bias in our own data and noted that our list only included public companies. We also noted that the domain name for many of the multi-national companies on the list were not the same as the names of the individual companies that they own. Is it possible that DNSSEC might be more broadly deployed in private companies or in the individual company domain names? Unfortunately, spot checking a number of these children companies yielded no evidence of DNSSEC adoption either, so we were forced to conclude that the deployment of this important security technology is happening very slowly even within an industry that should be the most concerned about it.

Perhaps it will take a real financial loss to provide the necessary motivation. According to the Forrester report, 100% of the companies that lost greater than $5 million experienced a man-in-the-middle breach. Or perhaps, as we have seen in the U.S., legislation or industry regulations will be required to spur these organizations to action. So far, at least, protecting their customers and brand reputation had not been sufficient.