UW Computer Security Research and Course Blog

Within the next two years Verisign has promised that it will support DNS Security extensions across all of the domains that are top-level. DNSSEC provides measures that allow for primarily the authentication of the origin of DNS data and also provides a means to check the integrity of the data that is being sent. This prevents hackers from misleading web traffic to spoof sites and the problem that arose in the discovery of the Kaminsky Bug.

DNSSEC has already been deployed in other countries (Sweden, Bulgaria, Brazil) and .gov and .org, both domains operated by the United States government will begin using it later this year. The reason this is so important is the majority of business domains, both .net and .com are among the most likely to benefit from these changes and currently are waiting for the thirteen root zone server clusters to switch over to the new security standard. Verisign controls two of these server clusters themself.

While we wait for the heart of the internet to fully transition to DNSSEC, an alternative method of providing DNSSEC without needing the rollover has been devised. Trust Anchor Repositories, as provided by the Internet Assigned Numbers Authority (IANA), are a way of providing the same verification as a signed root zone server. This keyed data can easily be transitioned to the server once DNSSEC is fully implemented.

The quicker that more websites begin deploying DNSSEC, the more likely businesses that own a .com are likely to follow. Once the root zone and .com has been signed, that will provide coverage for over 70 million domain names.

Sean Miller and Kyle Hornberger