Two and half years after the first public warnings over DNS security, the .com domain is now secured with DNSSEC.
VeriSign announced that it has signed the .com top level domain (TLD) which could help to secure the more than 90 million registered .com domains. VeriSign’s move follows years of effort and incremental steps toward securing DNS infrastructure.
DNS was first exposed to be at risk in the summer of 2008 when security researcher Dan Kaminsky detailed threats that could undermine the operation of the Internet. The risks exposed by Kaminsky could have enabled an attacker to spoof DNS information, potentially disrupting the normal flow of all information across the Internet.
Following Kaminsky’s disclosure, DNSSEC was identified as the best long-term solution to help protect DNS. DNSSEC helps to mitigate the risk by providing additional security for DNS information to ensure its authenticity with cryptographically signed signatures.
Getting DNSSEC fully implemented across Internet infrastructure has been no easy task.
In July of 2010, VeriSign was able to sign the root zone of the Internet’s DNS for DNSSEC. VeriSign assists with the management of the root zone under a cooperative agreement with the U.S. Department of Commerce. VeriSign also operates the .com registry.
With the root zone signed, a number of TLDs have also been able to fully implement DNSSEC in their respective zones. The .org TLD was the first major TLD to be signed for DNSSEC. For .org, the effort to enable DNSSEC cost millions of dollars. By November of 2010, over 50 TLDs had enabled DNSSEC.
The .com registry is the biggest TLD to enable DNSSEC yet.
“By reaching this critical milestone in DNSSEC deployment, Verisign and the Internet community have made enormous strides in protecting the integrity of DNS data,” said Pat Kane, senior vice president and general manager of Naming Services at Verisign in a statement. “But the threats against the Internet ecosystem — whether targeting the DNS or elsewhere — are unrelenting.”
The DNSSEC implementation by VeriSign is part of the company’s larger Project Apollo initiative. Apollo was first announced in March of 2010 as a $300 million effort to update DNS. The goal of Apollo is to build the infrastructure needed to handle the 4 quadrillion queries per day that the Internet’s DNS structure will demand by 2020.