Will security worries propel DNS into the cloud?

Security on the Internet's Domain Name System will be tightened today, with the addition of digital signatures and public-key encryption to the root zone. But will the deployment of DNS Security Extensions (DNSSEC) prompt more enterprises to outsource their DNS operations?

DNS gains added measure of security starting today

That's the opportunity that service providers including VeriSign and Afilias are eyeing with new managed DNS and related security services that they plan to announce in upcoming weeks.

DNS security reaches 'key' milestone

DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.

The DNS root servers will begin supporting DNSSEC on July 15. This will enable secure DNS look-ups for the top-level domains that already support this standard, including .org for non-profits, .se for Sweden, .uk for the United Kingdom, .br for Brazil and .cz for the Czech Republic. Plans are underway for additional top-level domains including .edu for universities, .net and .com for businesses to add DNSSEC support over the next six months.

With the extra layer of encryption, DNSSEC makes DNS significantly more complicated, experts say. That's why service providers believe that more enterprises will begin outsourcing their DNS.

"DNSSEC takes the complexity level and really magnifies it. It's a game changer. It's not 10% harder now; it's twice as hard to manage DNS, and it's twice as hard on the machine size and the bandwidth," says Ben Petro, senior vice president of Network Intelligence and Availability at VeriSign. "We can do all of this work for you and make DNSSEC easy."

"DNSSEC is so complicated. The protocol has worked great, but we see a lot of misconfigurations," said Sean Leach, CTO with Name.com, a domain name registrar that has dozens of customers who are testing DNSSEC. "I really do think that you're going to start seeing outsourced DNS as the norm."

VeriSign, Afilias to offer cloud-based DNS

VeriSign officials said they are developing a cloud-based DNS service that will be sold directly to enterprise customers. VeriSign hosts two of the Internet's 13 root name server clusters and is the registry for the .com and .net domains, operating a massive global DNS infrastructure that the company hopes will attract enterprise customers.

VeriSign is expanding the managed DNS services that the company has offered for several years through channel partners. VeriSign is bundling its cloud-based DNS services with distributed denial of service (DoS) and cyber-intelligence protection services that it already offers.