Home / Industry

Internet Infrastructure Leaders Join Movement of Companies Verifying Their Technology for DNSSEC

A trio of Internet infrastructure leaders joined a growing movement of companies testing their technologies with Verisign following a landmark achievement in Internet security. As Verisign has now deployed Domain Name System Security Extensions (DNSSEC) in .net — the largest-ever domain secured by the technology — Arbor Networks, Infoblox and RioRey, have completed testing of their technology solutions in the Verisign DNSSEC Interoperability Lab.

DNSSEC helps protect the Domain Name System (DNS) against so-called "cache poisoning" or "man-in-the-middle" attacks by allowing DNS data to be digitally signed and authenticated. These digital signatures authenticate the origin of the data and verify its integrity as it moves throughout the Internet. At the self-contained Verisign DNSSEC Interoperability Lab facility in Dulles, a wide-range of Internet infrastructure solutions undergo a battery of tests to review how equipment will interoperate in a DNSSEC-enabled environment. Verisign conducts the tests free of charge to encourage use of the service and pave the way for broader DNSSEC adoption.

Arbor Networks, Infoblox and RioRey join a growing number of organizations — including A10 Networks, BlueCat Networks, Brocade, Cisco Systems and Juniper Networks — that have taken advantage of the opportunity to verify their solutions at Verisign's DNSSEC Interoperability Lab. By examining the interoperability of their products with DNSSEC, these companies are participating in the shared effort needed to ensure a measured and deliberate implementation of the security extensions worldwide.

"Arbor Networks is very focused on the problem of infrastructure security and DNS is obviously among the most critical elements of it," said Rob Malan, Arbor Networks Chief Technology Officer. "The Verisign DNSSEC Interoperability Lab allowed us to test our products to review compatibility with DNSSEC. Arbor's customers make up the vast majority of the world's ISPs and many of the largest hosting and data centers operators. This is a critical issue for our customers."

"Systemic vulnerabilities to the DNS, such as cache poisoning, represent a significant threat to e-commerce, online banking, email communications, customer service and even government secrets," said Cricket Liu, Vice President of Architecture and Technology at Infoblox, the leader in network infrastructure automation and control, including physical and virtual DNS, DHCP and IP Address Management platforms. "That's why a successful implementation of DNSSEC is vital, as is the need for the Internet community at large to verify that their solutions are compatible with DNSSEC. On that front, the Verisign DNSSEC Interoperability Lab has proven indispensable."

"As a company whose key focus is to detect and mitigate Distributed Denial of Service (DDoS) attacks, RioRey understands that DNS is essential to the Internet's framework of trust," said Nitin Mehrotra, CTO at RioRey, Inc., a provider of dedicated platforms for DDoS defense. "We knew it was critical to ensure that our solutions were interoperable with DNSSEC by taking advantage of Verisign's robust testing environment, and we would strongly urge all other Internet stakeholders to do likewise."

Cache poisoning attacks can occur when hackers corrupt DNS data stored on recursive servers to redirect queries to malicious sites. With DNSSEC, a hacker's ability to poison the cache is eliminated for the zones that are signed and the resolvers that are validating signed records. The resulting digital signatures on that DNS data are validated by creating a "chain of trust" that starts with the public key, published in the root zone.

"DNSSEC will only be effective if it is implemented from end to end in an effort that is shared across the Internet," said Pat Kane, Senior Vice President and General Manager of Naming Services at Verisign. "Now following the .net signing, Arbor Networks, Infoblox and RioRey are joining a critical group of forward-thinking Internet companies that are showing the leadership and initiative necessary to make this a truly successful community endeavor. We look forward to helping more Internet stakeholders test their solutions at the DNSSEC Interoperability Lab."

DNSSEC testing is growing ever more crucial as the global roll-out of the security extensions continues. DNSSEC was deployed in the DNS root zone in July and in the .net domain in December. Meanwhile, plans call for Verisign to deploy the .com domain by the end of the first quarter 2011.

In addition to operating the DNSSEC Interoperability Lab, Verisign has rolled out a program to ease DNSSEC deployment and adoption for a wide range of Internet stakeholders. Over the past several months, Verisign has published technical resources, led educational sessions, participated in industry forums and developed tools designed to simplify DNSSEC management.

As part of its effort to ease DNSSEC deployment, Verisign is introducing a new iPhone application called the DNSSEC Analyzer, a mobile tool that can assist in diagnosing problems with DNSSEC-signed names and zones. The application will allow a quick diagnosis of any domain name, allowing knowledgeable users to view debugging information and receive useful tips on how to remediate any problems that are discovered.

The company has also actively provided support to its network of registrars for DNSSEC implementation, including a software development kit (SDK) and a DNSSEC signing and key management service following the signing of.net.

More information on Verisign's DNSSEC plans is available here:

About Verisign


As the global leader in domain names, Verisign powers the invisible navigation that takes people to where they want to go on the Internet. For more than 15 years, Verisign has operated the infrastructure for a portfolio of top-level domains that today include .com, .net, .tv, .edu, .gov, .jobs, .name and .cc, as well as two of the world's 13 Internet root servers. Verisign's product suite also includes Distributed Denial of Service (DDoS) Protection Services, iDefense Security Intelligence Services and Managed DNS. (Learn More)

Related topics: DDoS, DNS, DNSSEC, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Related Blogs

Related News


Industry Updates – Sponsored Posts

What's in Your Attack Surface?

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Introducing the Verisign Quarterly DDoS Trends Report

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics



Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines


Sponsored by


Sponsored by