Verisign to bolster .gov security

Verisign helping feds with deployment of emerging DNS security protocol

The U.S. federal government's ongoing effort to improve the security on its Web sites may get a boost now that Verisign has taken over operation of the .gov registry.

Verisign is providing all domain name registration services for the .gov and fed.us domains, which are restricted for use only by federal civilian agencies or city, county and state government organizations.  

While .gov is the most popular domain for federal Web sites, some agencies such as the U.S. Postal Service use .com domain names, while military Web sites use names with the .mil extension.  Fewer agencies use fed.us names, such as the U.S. District Court in New Mexico, whose Web address is www.nmcourt.fed.us.

BACKGROUND: Half of federal Web sites fail DNS security test

By selecting Verisign to run its .gov domain, the General Services Administration (GSA) chose an experienced DNS vendor. Verisign is the registry operator for several of the Internet's most popular domains including .com, .net and .edu, and it also hosts two of the 12 “root” servers that sit at the top of the Internet's DNS hierarchy.

One of the requirements of Verisign's contract is to support the implementation of DNS Security Extensions (DNSSEC) on .gov and fed.us Web sites. DNSSEC is an Internet standard that prevents hackers from hijacking Web traffic and redirecting it to bogus sites. It allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption.

In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers to the servers that run .gov, .com and other top-level domains, and then down to the servers that cache content for individual Web sites.

Verisign is the registry operator for two domains -- .edu and .net – that already support DNSSEC. And Verisign says it will offer DNSSEC for .com in March.

Related Events: DNS gains added measure of security starting today

Federal agencies are required to support DNSSEC under a mandate that was issued by the Office of Management and Budget (OMB) in 2008. However, a recent survey of federal Web sites found that only 49% were cryptographically signed using DNSSEC.

DNSSEC "is one of the things we can work with the GSA and other agencies in helping with those implementations," says Joe Waldron, director of product management for Verisign's domain name registry business. "We developed a lot of tools with our other registry business to help detect issues with DNSSEC and to remove some of the barriers…We met with the GSA yesterday to discuss how to help encourage and facilitate that adoption."

In addition to its DNSSEC signing services that are now available to federal agencies, Verisign also offers detection and mitigation services for distributed denial of service (DDOS) attacks.

Another bonus is the fact that Verisign's DNS infrastructure supports IPv6, the long-anticipated upgrade to the Internet's main communications protocol. Federal agencies are under a separate OMB mandate to support IPv6 on their public-facing Web sites by September 2012.

"It's an honor for us to be selected to operate .gov," Waldron adds. "It gives us the opportunity to reinforce the security and reliability that we provide to other registries and to ensure that the .gov top-level domain is at the same level."

GSA chose Verisign in a competitive bid process. The five-year contract is worth an estimated $3 million.

Verisign was selected to operate the .gov registry in September 2010, but had to pass a certification and accreditation process that lasted several months. The DNS vendor said it completed transitioning all .gov registry services to its infrastructure last week.

Join the discussion
Be the first to comment on this article. Our Commenting Policies