Australia has previously been hailed as being ahead of the US in terms of rolling out the Domain Name System Security Extensions (DNSSEC), but has now fallen behind, and members of the information security industry are beginning to ask why.
DNSSEC is meant to protect internet users from forged DNS data, which makes it possible for malware, like DNSChanger, to operate.
At the beginning of last year, Australia was seen as being a year ahead of its counterparts in the US — but then the US implemented the service for .com domains in March 2011. When asked a month later about what was going on with the .au implementation, .au Domain Administration (auDA), the industry's policy and self-regulatory body for the .au domain, said that it was in the final stages of DNSSEC testing for .au, but that it would take another year for Australia to see it implemented.
Now, a year on, the top-level domains (TLDs) for .au remain unsigned.
F5 Networks chief technology officer Karl Tribes pointed out that the US has further left Australia behind by making the security extension a hard requirement for all US federal agencies' .gov domains, and said that other countries are also getting their acts together. He said he doesn't understand why Australia doesn't make rolling out DNSSEC a priority.
"US federal and other places have already begun doing this, so it's not like it's untested waters," he said.
AuDA told ZDNet Australia that it is taking a cautious approach to the implementation of DNSSEC, and is closely monitoring the deployment and uses of other TLDs and country code top-level domains (ccTLDs).
"The .au structure differs from many other ccTLDs, because we have a policy authority (auDA) and a registry operator (AusRegistry), operate in a policy-rich environment, register names at the third level and have second-level zones, such as gov.au and edu.au, delegated to third parties."
According to auDA, it has now formed a DNSSEC working group. This group, which includes members from major telco and domain registries, is expected to work with .au stakeholders to ensure that the implementation of DNSSEC can occur at both the parent (.au) and child zones (2ld.au). The working group is also expected to assist with developing DNSSEC policy, and educating registrants about the benefits of DNSSEC.
Despite .com and other domains rolling out DNSSEC, there has been limited demand for it, according to Tribes, even though the process of deploying DNSSEC had been relatively painless for firms using the domains.
"Given the state of the technology and what's available now, it seems to me that it would be good to be proactive, because it's fairly painless to take these steps without massive impacts to your infrastructure, and be ahead of the curve. I can understand that you don't want to invest wildly into certain things, but it's quite modest to take these steps," he said.
ZDNet Australia's queries to Check Point and WatchGuard found that these vendors' current hardware products also typically ship with the ability for administrators to enable DNSSEC at their choosing. Representatives from both companies have been surprised that so few organisations have adopted DNSSEC for .com domains in wider numbers, and have put the trend down to a lack of awareness.