Skip Links

Tighter security available to .com sites, but upgrades required

VeriSign boosts security for .com sites; Internet’s largest domain adds DNS security standard

By , Network World
March 31, 2011 04:01 PM ET

Network World - VeriSign has added an extra layer of security to the Internet's .com domain, but e-retailers, banks and other Web site operators will need to upgrade their DNS hardware, software or services to take advantage of .com's new cryptographic features.

As of March 31, VeriSign supports a security standard called DNS Security Extensions (DNSSEC) on the 90 million-plus names that have been registered in the .com domain.

RELATED NEWS: GoDaddy: We're ready to secure .com names with DNSSEC

DNSSEC allows websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. DNSSEC prevents Kaminsky-style attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.

DNSSEC is "a feature of .com and .net," says Pat Kane, senior vice president and general manager of naming services at VeriSign. "It's important so we can maintain the leadership position we have. ...That's why we've made this [cryptographic] signing service available."

Under development for a decade, DNSSEC has just started being deployed across the Internet infrastructure during the last eight months.

The Internet's root servers at the top of the DNS hierarchy added DNSSEC support in July 2010. More than 25 domains  -- including .gov, .org, .edu and .net -- have enabled DNSSEC since then.

BY THE NUMBERS: Half of federal websites fail DNS security test

VeriSign had to make significant investments in its infrastructure to support the extra transactional processing overhead required by DNSSEC.

DNSSEC "is not hard, but it does put a significant strain on your resources," says Bill Semich, president and CEO of WorldNames, a Medfield, Mass., registry that operates the .nu domain. "It increases the size of the zone file by a factor of 10, and that slows down the process of doing transfers and updates."

By supporting DNSSEC in .com this month, VeriSign kept to an aggressive rollout schedule for DNSSEC that it announced two years ago. VeriSign enabled DNSSEC in the .edu domain in August 2010 and in the .net domain in December 2010.

"We took a pragmatic and deliberate approach ... first with .edu and then .net and now .com," Kane says. "It's been a great effort. ...We're delivering on time with something so big."

In order for DNSSEC to work properly, it has to be supported at every step of the DNS look-up process: from the end user's browser, to the ISP that carries DNS traffic, to the website operator, to the domain name registrar as well as the top-level domain registry and the root server operators.

Many of these areas are lagging. Firefox is the only Web browser that offers a DNSSEC plug-in. Comcast is the only ISP in the United States that has announced a DNSSEC validation service. Domain name registrars such as GoDaddy are just starting to support DNSSEC for their customers.

On the plus side, website operators have a range of appliances from Secure64, Infoblox, BlueCat Networks and others that support the key management and other security functions required by DNSSEC. And companies like VeriSign, Nominum and UltraDNS are offering managed services that allow website operators to outsource their entire DNS infrastructure, including DNSSEC.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News