DNS Security Upgrade for .com and .net


There are more than 93.5 million registered .com and .net domains, making those two Top Level Domains (TLDs) the most popular on the Internet today. VeriSign, the company that oversees those domains, today announced plans to make them among the most secure on the Web with support of DNSSEC (define) (DNS security extensions).

The issue of DNS security vaulted to prominence in the summer of 2008 with the disclosure by security researcher Dan Kaminsky that DNS was vulnerable to attack. While DNS (define) vendors rushed out interim patches, the long-term solution to the problem of DNS security is best solved with DNSSEC.

With DNSSEC, domains get an additional layer of integrity checking to ensure the authenticity of domain information. Other TLDs like .org and .edu have already announced their plans to implement DNSSEC.

But for .com and .net, DNSSEC won't be an instant upgrade. Instead, VeriSign said it plans to complete the rollout across the registries by 2011.

"Getting a top level domain like .com signed, we obviously want to do it in a manner that minimizes the risk to any unintended consequences," VeriSign Product Manager Joe Waldron told InternetNews.com.

While VeriSign operates the .com and .net TLD as a registry, Waldron noted that there are more than 950 registrars that work with VeriSign. The registrars are the companies that actually sell the domains to end users, while VeriSign operates the overall operations of the .com and .net registries. Part of VeriSign's plan in rolling out DNSSEC involves working with the registrars on tools and education to make adoption easier.

VeriSign is no stranger to DNSSEC. The firm recently began working with Educause, the operator of the .edu registry, to help secure that TLD. Waldron noted that the work that VeriSign is doing on .edu is helping to educate them on the implementation challenges and real scenarios that .com and .net will face with the DNSSEC rollout.

From a technology perspective, VeriSign will be working on a number of fronts to make DNSSEC work for .com and .net.

At the top level, VeriSign uses its own Atlas DNS technology as an authoritative name server. Waldron said that Atlas will need to be capable of supporting the additional DNSSEC-related records that will go into a domain zone file.

The interface between the VeriSign registry and its registrar partners is also a key part of implementing DNSSEC.

"The interface between the registry and the registrar is called EPP (extensible provisioning protocol), and that's how registrars pass transactions to us," Waldron said. "In addition to that, registries have to expose this to their customers to allow them to opt in to enable DNSSEC."

Overall, the effort to implement DNSSEC in .com and .net has been a multi-year effort that VeriSign has been invested in, though Waldron declined to provide a specific figure as to how much DNSSEC implementation will ultimately cost the company. Affilias, which manages the technical operations for the .org registry, estimated the cost of its DNSSEC efforts to be a multi-million dollar effort.

"From an investment perspective, VeriSign is always investing in infrastructure," Waldron said. "We've been involved in DNSSEC for years, we've had test-beds going back to 2001. This is really from the infrastructure investment that we're making consistent with the types of things we do just as a normal course of business."

Article courtesy of InternetNews.com.