Black Hat founder Jeff Moss opened this year's Black Hat 2010 conference
by telling the world that he's frustrated with the computer security industry's inability to fix many problems over the past two decades. In a point that some people probably missed as a mixture of accolades and irony, Moss then gave the lone exception that came to mind: DNSSEC, which is being partially deployed throughout the world.
To put this point in perspective, the main problems that DNS fixed were first discussed in the early 1990s (there's an excellent DNSSEC primer on Wikipedia
), with remediations first codified in 2001. Yet Dan Kaminsky and many other DNS researchers required another decade to convince the major players to strengthen DNS. In effect, it took some 20 years to fix the world's most used protocol, one without which every other network application remains insecure -- but it's not fixed all the way.
In order for DNS to be truly secure, DNSSEC has to be deployed down to the desktop level. Windows 7
and Windows Server 2008 R2
(and many other Linux, Unix, and BSD platforms) have it built in, but not configured or enabled. I expect only a very few large, highly secure companies to implement DNSSEC to the desktop over the next few years. That is the state of our Internet security today.