Tighter security available to .com sites, only with upgrades

VeriSign has added an extra layer of security to the Internet's .com domain, but e-retailers, banks and other Web site operators will need to upgrade their DNS hardware, software or services to take advantage of .com's new cryptographic features.

As of March 31, VeriSign supports a security standard called DNS Security Extensions (DNSSEC) on the 90 million-plus names that have been registered in the .com domain.

RELATED NEWS: GoDaddy: We're ready to secure .com names with DNSSEC

DNSSEC allows websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. DNSSEC prevents Kaminsky-style attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.

DNSSEC is "a feature of .com and .net," says Pat Kane, senior vice president and general manager of naming services at VeriSign. "It's important so we can maintain the leadership position we have. ...That's why we've made this [cryptographic] signing service available."

Under development for a decade, DNSSEC has just started being deployed across the Internet infrastructure during the last eight months.

The Internet's root servers at the top of the DNS hierarchy added DNSSEC support in July 2010. More than 25 domains  -- including .gov, .org, .edu and .net -- have enabled DNSSEC since then.

BY THE NUMBERS: Half of federal websites fail DNS security test

VeriSign had to make significant investments in its infrastructure to support the extra transactional processing overhead required by DNSSEC.

DNSSEC "is not hard, but it does put a significant strain on your resources," says Bill Semich, president and CEO of WorldNames, a Medfield, Mass., registry that operates the .nu domain. "It increases the size of the zone file by a factor of 10, and that slows down the process of doing transfers and updates."

By supporting DNSSEC in .com this month, VeriSign kept to an aggressive rollout schedule for DNSSEC that it announced two years ago. VeriSign enabled DNSSEC in the .edu domain in August 2010 and in the .net domain in December 2010.

"We took a pragmatic and deliberate approach ... first with .edu and then .net and now .com," Kane says. "It's been a great effort. ...We're delivering on time with something so big."

In order for DNSSEC to work properly, it has to be supported at every step of the DNS look-up process: from the end user's browser, to the ISP that carries DNS traffic, to the website operator, to the domain name registrar as well as the top-level domain registry and the root server operators.

Many of these areas are lagging. Firefox is the only Web browser that offers a DNSSEC plug-in. Comcast is the only ISP in the United States that has announced a DNSSEC validation service. Domain name registrars such as GoDaddy are just starting to support DNSSEC for their customers.

On the plus side, website operators have a range of appliances from Secure64, Infoblox, BlueCat Networks and others that support the key management and other security functions required by DNSSEC. And companies like VeriSign, Nominum and UltraDNS are offering managed services that allow website operators to outsource their entire DNS infrastructure, including DNSSEC.

"We're offering DNSSEC services that are fully managed," says Sean Leach, vice president of technology for VeriSign's Network Intelligence and Availability business. "People don't have to do anything with their keys, and it works with our traffic management platform. It's not very easy to combine traffic management services with global server load balancing and DNSSEC on the same records and zones. We believe what we are offering is pretty revolutionary."

DNS providers are hoping that having .com's support will finally crack open the DNSSEC market.

"I think having .com do [DNSSEC] is going to make it easier and more popular," Semich says. The .nu domain has supported DNSSEC for four years, but Semich says that less than 1% of .nu names are signed.

"The fact is that most people don't know about DNSSEC or care," Semich says. "In some ways, it's up to the governments to do communication about it and to set the standards."

Even VeriSign has seen limited adoption of DNSSEC features on the .edu and .net domains that it operates.

Only 53 .edu names are signed, even though more than 2,200 colleges, universities and educational institutions belong to the .edu sponsor Educause. Similarly, only 262 .net names -- out of more than 13 million registered .net names -- are taking advantage of DNSSEC features.

VeriSign says the biggest holdup is domain name registrars, who haven't figured out a viable business model for offering DNSSEC services.

BACKGROUND: Top US domain name registrars lag on DNS security

"We're helping registers implement DNSSEC by giving them a tool -- the DNSSEC Signing Service -- that would drive adoption but minimize costs," Kane says. "Hopefully that will help them achieve a critical mass so then the registrar could move over to have customers paying for it or to build additional services around it."

Kane says he's hoping that within a year, half of the .com registrars will be supporting DNSSEC for their customers, who are the website operators.

"I'm going to measure success in adoption by the registrars in their provisioning models and check-out processes," Kane says. "If I have half of the registrars provisioning DNSSEC a year from now, that would be successful."

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags VeriSignsecurityinternet

More about BillBlueCat NetworksComcast CableEducauseInfobloxLANSECTechnologyUltraDNSVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Carolyn Duffy Marsan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts