Sixty Percent of Federal .GOV Domains Remain Unsigned with DNSSEC

Only 38 percent of federal .gov domains have implemented DNSSEC so far, despite a deadline regarding the adoption of the technology expiring in December last year.

These findings were outlined in a newly released report (PDF) from security vendor Internet Identity (IID), regarding the deployment of DNSSEC in the .gov namespace.

In August 2008, the White House mandated that all federal agencies must secure their top level domains with DNSSEC by January 2009 and all sub-domains by December 2009.

The entire .gov zone consists of an estimated 5,000 domains both active and inactive, that belong to federal and local state agencies, as well as Native American and other organizations.

Since there is no official public document enumerating all of them, IID had to build its own list, which ended counting 2,941 confirmed domains.

Of these, only 1185 (40%) were registered to Federal agencies and were covered by the White House directive on DNSSEC adoption.

The company tested the domains with the OARC Open DNSSEC Validating Resolvers in order to determine the state of their DNSSEC implementation.

The tests revealed that only 36% of them were capable of full DNSSEC authentication. Another 1% lacked full authentication because of minor signing issues, while 2% failed authentication completely, despite being signed.

The company points out that the Treasury Department and the Department of Defense are amongst the agencies with large blocks of yet-unsigned sensitive .gov domains. Meanwhile, the FBI, DHHS, DEA and the Federal Reserve have finished signing all of the domains.

There are also several .gov domains that fall outside Federal jurisdiction, but are signed with DNSSEC nevertheless. Virginia.gov and several Idaho and Vermont ones are amongst the examples.

"DNSSEC implementation and maintenance are not easy, and are difficult to test and monitor during this initial transition period. Lessons that are being learned in the Federal .gov space will be useful for all to learn as we look to the signing of .com and .net next year," IID concludes.