VeriSign is upgrading the directory and database software that underpins most Web site lookups in a move that experts say will help improve the security and reliability of the Internet's DNS.
VeriSign is replacing an open source software package called Berkeley Internet Name Domain (BIND) with its own proprietary technology. Dubbed ATLAS, for Advanced Transaction Look-up and Signaling, VeriSign's proprietary software will be installed in its 13 DNS server sites around the globe this summer and will go into production mode in the fall.
BIND, which runs on most corporate domain name servers, translates domain names into numerical IP addresses. Developed in the early 1980s, BIND lacks robust security and scalability. Last week, CERT warned that a flaw in certain versions of BIND could leave parts of the Internet vulnerable to denial-of-service (DoS) attacks.
With ATLAS, VeriSign says it will improve its protection against distributed DoS attacks along with the speed and reliability of lookups.
"The major focus of ATLAS is reliability, scalability and flexibility for conversions,'' says Aristotle Balogh, vice president of engineering at VeriSign Global Registry. "Some of the performance improvements come from innovative algorithms for lookups and updates.''
DNS experts say VeriSign's move to ATLAS will help fix a DNS environment that is too homogeneous.
"Having everyone run the same name server is a screaming invitation for bad things to happen,'' says David Conrad, CTO at Nominum, a DNS service provider. "There has been a push in the root server community as well as the top-level domain [registry] community to try to get people to diversify. This way a single DoS attack wouldn't take out all the name servers.''
VeriSign is the latest domain name registry to migrate away from BIND. Others that are choosing alternatives include the operators of the new .coop, .aero and .info registries, which selected software from Nominum, and Ripe Network Coordination Center, which is writing its own DNS software.
"There is a greater diversity of products available to provide DNS services and products,'' Conrad says. "That trend will continue as we get more special products to deal with special needs.''
VeriSign's shift to ATLAS shouldn't affect DNS interoperability, says Ray Plzak, president of the American Registry for Internet Numbers and co-chair of the Internet Engineering Task Force's Domain Name Server Operations working group.
"The only standardization is in the IETF's [requests for comment],'' Plzak says. "It just so happens that BIND is used by everybody. But as long as people implement to the standards, it shouldn't matter what software they use.''
VeriSign's ATLAS software has been under development for 18 months and cost the company several million dollars, officials say. Key features are:
l Scalability from an average of 6.5 billion DNS queries per day today to a projected 100 billion queries per day with 10-msec response time.
l Ability to propagate updates to DNS information in 6 seconds vs. 12 hours today. This will let network managers make near-instantaneous changes to DNS information and be assured of Web site availability.
l Next year it will support not only DNS lookups but also emerging protocols such as Session Initiation Protocol and Signaling Series 7 for Internet telephone calls.
While it rolls out the new software, VeriSign also is upgrading its servers and network architecture. The company is installing new routers, switches and load balancers from Cisco, Alteon and Foundry Networks. New servers are from IBM and Intel.
Meanwhile, CERT's latest advisory about BIND affects all but the most recent version of BIND 9, which was released in May. DNS servers running software prior to BIND 9.2.1 are vulnerable to attacks that can shut down DNS service by sending a specific packet, CERT said. The service remains unavailable until restarted. n