As the Internet continues to expand, we are committed to creating and driving advancements that keep the Internet fast, safe and reliable for all users.
Policymakers
The Internet plays an increasingly critical role in government, commerce, communications and national security. Domain Name System Security Extension (DNSSEC) provides an additional layer of security to help maintain trust in this vital resource. It will be most effective when adopted by the entire Internet community. Find out what DNSSEC means for you, issues to consider and how Verisign is actively participating in the rollout of DNSSEC across the Internet.
Why Act Now
DNSSEC adoption is gaining momentum as governments, financial institutions, Internet service providers (ISPs), businesses and other organisations become increasingly aware of DNS-related threats.
DNSSEC is most effective when universally implemented - starting at the top of the Internet hierarchy (the root zone and top-level domains) and moving down to individual domain names.
The size, complexity, and impact of a global DNSSEC effort suggest that policymakers in government and the private sector play a vital role in DNSSEC success. Working at the national and international levels on telecommunications, technical standards, commerce, law enforcement and national security and defence, policymakers have the visibility, influence and reach to positively impact the momentum and course of DNSSEC.
High-Level Benefits
DNSSEC presents opportunities to all members of the Internet ecosystem. The most direct and widespread impact is on end users and the organisations they interact with. By adding another layer of security to the Internet, DNSSEC provides the following types of benefits:
| Ecosystem Member | Benefit |
|---|---|
| Internet community, e.g. web site operators involved in e-commerce, government, financial services, or business | Significantly improved security infrastructure that increases trust in the Internet |
| End users | Reduced risk of unintended redirection to fraudulent web sites (caused by man-in-the-middle attacks) which could lead to identity theft and other security compromises |
| Registrars | Competitive advantage for early adopters; opportunity to provide monetisable, enhanced security offerings to customers |
| Internet service providers (ISPs) | Increased data security for Internet users who leverage an ISP’s name server service for Internet navigation |
| Hardware and software vendors | Opportunity to provide new products and solutions |
What to Consider
DNSSEC implementation is not a trivial task. It requires considerable resources, documentation, testing and industry coordination. It also introduces complex changes that impact some members of the Internet ecosystem more than others. You will need to consider these complexities when recommending or implementing policies, timelines and other guidelines.
Registrars, for example, must upgrade their systems to interface with a DNSSEC-enabled registry, provide a mechanism for customers to send their DNSSEC key material to the registrar, and (if the registrar provides DNS hosting services) add complex, resource-intensive DNSSEC key management and signing services. ISPs must enable DNSSEC on their recursive name servers, ensure device compatibility, and be mindful that DNSSEC response packets are potentially larger than traditional DNS packets and may increase bandwidth requirements. Hardware and software vendors must upgrade existing products and develop new products that are compatible with DNSSEC and support DNSSEC services. Each of these processes is highly complex, impacts system operations, requires extensive testing and can take many months.
Any rollout of DNSSEC should proceed in phases, especially for the reliable operation of globally crucial top-level domains (TLDs) such as .com and .net. Long-term strategy, planning and collaboration - not only within and across organisations and industries, but also internationally - will create a strong foundation for successful implementation.
To assist with understanding the implications of a DNSSEC-enabled environment, Verisign has deployed a DNSSEC Interoperability Lab. The Interoperability Lab allows members of the IT community to test compatibility of their Internet and enterprise infrastructure components with DNSSEC. The Lab is located in Dulles, Virginia and is a standalone environment with a suite of more than 8,000 test cases.
Verisign’s Role
Verisign is committed to serving as a trusted steward of the Internet. As the registry for .com and .net and a provider of critical Internet infrastructure services, our goal is to enable the Internet’s next innovations while protecting the Internet community from new and emerging cyber threats. Our work on DNSSEC is another step in our ongoing fortification of and investment in critical Internet infrastructure.
In July 2010, Verisign - working with the Internet Assigned Numbers Authority (IANA) and the Department of Commerce (DoC) - completed deployment of DNSSEC in the root zone (the starting point of the DNS hierarchy). Verisign also enabled .edu in July in collaboration with EDUCAUSE and the DoC and is on track to enable DNSSEC in .net and .com. We are working in a timely, but cautious and methodical manner to sign the zones we manage.
Verisign has been involved in DNSSEC development since 2000, and our engineers played a leading role in the development of the DNSSEC Hashed Authenticated Denial of Existence (NSEC3) protocol. As DNSSEC testing, implementation and adoption move forward, we will continue to collaborate with the Internet technical community and participate in industry organisations such as the DNSSEC Coalition.
In addition, we are taking a number of steps to help members of the Internet ecosystem take advantage of DNSSEC. These steps include publishing technical resources, providing an Operational Test Environment and a DNSSEC Interoperability Lab, leading educational sessions, participating in industry forums and developing tools to simplify DNSSEC management.