Verisign Will Support DNSSEC by 2011

By millsea0 at 4:27 pm on February 24, 2009 | 1 Comment

Within the next two years Verisign has promised that it will support DNS Security extensions across all of the domains that are top-level. DNSSEC provides measures that allow for primarily the authentication of the origin of DNS data and also provides a means to check the integrity of the data that is being sent. This prevents hackers from misleading web traffic to spoof sites and the problem that arose in the discovery of the Kaminsky Bug.

DNSSEC has already been deployed in other countries (Sweden, Bulgaria, Brazil) and .gov and .org, both domains operated by the United States government will begin using it later this year. The reason this is so important is the majority of business domains, both .net and .com are among the most likely to benefit from these changes and currently are waiting for the thirteen root zone server clusters to switch over to the new security standard. Verisign controls two of these server clusters themself.

While we wait for the heart of the internet to fully transition to DNSSEC, an alternative method of providing DNSSEC without needing the rollover has been devised. Trust Anchor Repositories, as provided by the Internet Assigned Numbers Authority (IANA), are a way of providing the same verification as a signed root zone server. This keyed data can easily be transitioned to the server once DNSSEC is fully implemented.

The quicker that more websites begin deploying DNSSEC, the more likely businesses that own a .com are likely to follow. Once the root zone and .com has been signed, that will provide coverage for over 70 million domain names.

Sean Miller and Kyle Hornberger

Filed under: Current Events1 Comment »

1 Comment

  • 1
    Get your own gravatar for comments by visiting

    Comment by Ryan McElroy

    March 3, 2009 @ 4:00 pm

    This is a long overdue step — there are known vulnerabilities, available to anyone, for attacking and compromising the current insecure DNS protocols. A prominent internet company like Verisign moving to DNSSec (although not until 2011) is a step that will hopefully get the snowball rolling and encourage everyone to switch over in the next few years.

RSS feed for comments on this post