VeriSign: We will support DNS security in 2011

Operator of .com, .net vows to adopt standard to prevent hijacking attacks

VeriSign has promised to deploy DNS Security Extensions – known as DNSSEC – across all of its top-level domains within two years.

"VeriSign is moving forward with the implementation of DNSSEC across all of the Top Level Domains that we operate," VeriSign said in a statement to Network World. ".com will most likely be the last TLD to adopt DNSSEC due to the size of the zone. We anticipate full implementation of DNSSEC to be complete across all TLDs in approximately 24 months."

DNSSEC uses digital signatures and public-key encryption to allow Web sites to verify their domain names and corresponding IP addresses. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites, which are called cache poisoning attacks

DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered this summer. In fact, security researcher Dan Kaminsky recommends widespread deployment of DNSSEC.  

DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil and the Czech Republic. Two larger domains -- .org operated by the Public Interest Registry and .gov operated by the U.S. government -- are deploying DNSSEC this year.

Still awaiting DNSSEC deployment are the Internet's root zone and the most popular domains for online business: .com and .net.

In the meantime, the Internet engineering community has come up with an alternative called Trust Anchor Repositories to allow organizations to deploy DNSSEC without waiting for the entire DNS hierarchy -- particularly the root zone and .com -- to be compliant with the new security standard.  

VeriSign's commitment to DNSSEC is significant because it supports such a wide swath of the Internet infrastructure.

VeriSign operates two of the 13 server clusters that carry the DNS root zone data, which is at the pinnacle of the DNS hierarchy. These server clusters resolve requests from the top-level domains, which in turn handle DNS queries for names registered in those domains.

VeriSign also operates the .com and .net domains, which together had more than 90 million registered names at the end of 2008.

In its latest Domain Name Industry Brief, VeriSign said that it processed peak loads of nearly 50 billion DNS queries per day in the fourth quarter of 2008.

"It would be really cool if VeriSign would sign .com," says Paul Hoffman, director of the VPN Consortium and an active participant in the DNSSEC community.

Hoffman says the best scenario for enhancing DNS security is if the root zone operators and the .com top-level domain deploy DNSSEC soon. That will encourage companies who run .com Web sites to deploy DNSSEC, too, Hoffman says.

"The essence of DNSSEC is that you have a key associated with every level of the DNS hierarchy: you have a key for the root, you have a key for the top-level domain, and you'll have a key for the enterprise level," explains Steve Crocker, CEO of Shinkuro. "When DNSSEC is fully deployed, all of those keys will exist."

Crocker says it's important that the DNS hierarchy adopt DNSSEC from top to bottom, and that organizations which deploy DNSSEC start validating signatures. Key to DNSSEC migration is that the root zone and .com get signed, Crocker says.

"As soon as .com is signed, that provides coverage for over 70 million names," Crocker says.

BlueCat to support DNS

In other DNSSEC-related news, BlueCat Networks says it will support DNSSEC in its Adonis DNS/DHCP appliances and its Proteus IP Address Management platforms as a free software upgrade available in March.

"Our release offers DNSSEC support in two different ways," says Branko Miskov, director of product management at BlueCat Networks. "It allows you to look up DNSSEC records and validate DNSSEC records. You can also define trust anchors. But more importantly, you are going to be able to host DNSSEC records."

BlueCat's DNSSEC products are being targeted at U.S. federal agencies under a mandate to support DNSSEC on .gov and companies doing business online in DNSSEC-compliant domains such as .se for Sweden and .br for Brazil.

Miskov says BlueCat's offering will allow enterprise network managers to automate the process of DNSSEC key generation, management and rotation.

"We've tried to ease the administrative pain of DNSSEC…with the tools we created within our product," Miskov says.

Learn more about this topic

Techies end-run feds on DNS security

U.S. misses DNS security deadline

Expert to Feds: Sign the DNS root ASAP
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies