Skip Links

VeriSign: We will support DNS security in 2011

Operator of .com, .net vows to adopt standard to prevent hijacking attacks

By , Network World
February 24, 2009 02:23 PM ET

Network World - VeriSign has promised to deploy DNS Security Extensions – known as DNSSEC – across all of its top-level domains within two years.

"VeriSign is moving forward with the implementation of DNSSEC across all of the Top Level Domains that we operate," VeriSign said in a statement to Network World. ".com will most likely be the last TLD to adopt DNSSEC due to the size of the zone. We anticipate full implementation of DNSSEC to be complete across all TLDs in approximately 24 months."

DNSSEC uses digital signatures and public-key encryption to allow Web sites to verify their domain names and corresponding IP addresses. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites, which are called cache poisoning attacks

DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered this summer. In fact, security researcher Dan Kaminsky recommends widespread deployment of DNSSEC.  

DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil and the Czech Republic. Two larger domains -- .org operated by the Public Interest Registry and .gov operated by the U.S. government -- are deploying DNSSEC this year.

Still awaiting DNSSEC deployment are the Internet's root zone and the most popular domains for online business: .com and .net.

In the meantime, the Internet engineering community has come up with an alternative called Trust Anchor Repositories to allow organizations to deploy DNSSEC without waiting for the entire DNS hierarchy -- particularly the root zone and .com -- to be compliant with the new security standard.  

VeriSign's commitment to DNSSEC is significant because it supports such a wide swath of the Internet infrastructure.

VeriSign operates two of the 13 server clusters that carry the DNS root zone data, which is at the pinnacle of the DNS hierarchy. These server clusters resolve requests from the top-level domains, which in turn handle DNS queries for names registered in those domains.

VeriSign also operates the .com and .net domains, which together had more than 90 million registered names at the end of 2008.

In its latest Domain Name Industry Brief, VeriSign said that it processed peak loads of nearly 50 billion DNS queries per day in the fourth quarter of 2008.

"It would be really cool if VeriSign would sign .com," says Paul Hoffman, director of the VPN Consortium and an active participant in the DNSSEC community.

Hoffman says the best scenario for enhancing DNS security is if the root zone operators and the .com top-level domain deploy DNSSEC soon. That will encourage companies who run .com Web sites to deploy DNSSEC, too, Hoffman says.

"The essence of DNSSEC is that you have a key associated with every level of the DNS hierarchy: you have a key for the root, you have a key for the top-level domain, and you'll have a key for the enterprise level," explains Steve Crocker, CEO of Shinkuro. "When DNSSEC is fully deployed, all of those keys will exist."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News