Skip Links

Network World

  • Social Web 
  • Email 
  • Close

VeriSign: We will support DNS security in 2011

Operator of .com, .net vows to adopt standard to prevent hijacking attacks
By Carolyn Duffy Marsan , Network World , 02/24/2009
  • Share/Email
  • Comment
  • Print

VeriSign has promised to deploy DNS Security Extensions – known as DNSSEC – across all of its top-level domains within two years.

"VeriSign is moving forward with the implementation of DNSSEC across all of the Top Level Domains that we operate," VeriSign said in a statement to Network World. ".com will most likely be the last TLD to adopt DNSSEC due to the size of the zone. We anticipate full implementation of DNSSEC to be complete across all TLDs in approximately 24 months."

DNSSEC uses digital signatures and public-key encryption to allow Web sites to verify their domain names and corresponding IP addresses. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites, which are called cache poisoning attacks

DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered this summer. In fact, security researcher Dan Kaminsky recommends widespread deployment of DNSSEC.  

DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil and the Czech Republic. Two larger domains -- .org operated by the Public Interest Registry and .gov operated by the U.S. government -- are deploying DNSSEC this year.

Still awaiting DNSSEC deployment are the Internet's root zone and the most popular domains for online business: .com and .net.

In the meantime, the Internet engineering community has come up with an alternative called Trust Anchor Repositories to allow organizations to deploy DNSSEC without waiting for the entire DNS hierarchy -- particularly the root zone and .com -- to be compliant with the new security standard.  

VeriSign's commitment to DNSSEC is significant because it supports such a wide swath of the Internet infrastructure.

VeriSign operates two of the 13 server clusters that carry the DNS root zone data, which is at the pinnacle of the DNS hierarchy. These server clusters resolve requests from the top-level domains, which in turn handle DNS queries for names registered in those domains.

VeriSign also operates the .com and .net domains, which together had more than 90 million registered names at the end of 2008.

In its latest Domain Name Industry Brief, VeriSign said that it processed peak loads of nearly 50 billion DNS queries per day in the fourth quarter of 2008.

  • Share/Email
  • Comment
  • Print
Comments (2)
Forgot your account info?

So they want to show us how to not implement DNSSEC like X.509?By Anonymous on February 25, 2009, 3:01 am this has not been fixed for years! And you trust them to correctly sign DNS zones?

Reply | Read entire comment

.gov - a larger zone?!?By ondrej.sury on February 24, 2009, 6:36 pmSince when is .gov a "larger" zone? .cz has 523891 domain names and .se has 852501 (number are from now). I very much doubt that .gov has so many domain records....

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.


rssRss Feed