A trio of Internet infrastructure leaders joined a growing movement of companies testing their technologies with Verisign following a landmark achievement in Internet security. As Verisign has now deployed Domain Name System Security Extensions (DNSSEC) in .net — the largest-ever domain secured by the technology — Arbor Networks, Infoblox and RioRey, have completed testing of their technology solutions in the Verisign DNSSEC Interoperability Lab.
DNSSEC helps protect the Domain Name System (DNS) against so-called "cache poisoning" or "man-in-the-middle" attacks by allowing DNS data to be digitally signed and authenticated. These digital signatures authenticate the origin of the data and verify its integrity as it moves throughout the Internet. At the self-contained Verisign DNSSEC Interoperability Lab facility in Dulles, a wide-range of Internet infrastructure solutions undergo a battery of tests to review how equipment will interoperate in a DNSSEC-enabled environment. Verisign conducts the tests free of charge to encourage use of the service and pave the way for broader DNSSEC adoption.
Arbor Networks, Infoblox and RioRey join a growing number of organizations — including A10 Networks, BlueCat Networks, Brocade, Cisco Systems and Juniper Networks — that have taken advantage of the opportunity to verify their solutions at Verisign's DNSSEC Interoperability Lab. By examining the interoperability of their products with DNSSEC, these companies are participating in the shared effort needed to ensure a measured and deliberate implementation of the security extensions worldwide.
"Arbor Networks is very focused on the problem of infrastructure security and DNS is obviously among the most critical elements of it," said Rob Malan, Arbor Networks Chief Technology Officer. "The Verisign DNSSEC Interoperability Lab allowed us to test our products to review compatibility with DNSSEC. Arbor's customers make up the vast majority of the world's ISPs and many of the largest hosting and data centers operators. This is a critical issue for our customers."
"Systemic vulnerabilities to the DNS, such as cache poisoning, represent a significant threat to e-commerce, online banking, email communications, customer service and even government secrets," said Cricket Liu, Vice President of Architecture and Technology at Infoblox, the leader in network infrastructure automation and control, including physical and virtual DNS, DHCP and IP Address Management platforms. "That's why a successful implementation of DNSSEC is vital, as is the need for the Internet community at large to verify that their solutions are compatible with DNSSEC. On that front, the Verisign DNSSEC Interoperability Lab has proven indispensable."
"As a company whose key focus is to detect and mitigate Distributed Denial of Service (DDoS) attacks, RioRey understands that DNS is essential to the Internet's framework of trust," said Nitin Mehrotra, CTO at RioRey, Inc., a provider of dedicated platforms for DDoS defense. "We knew it was critical to ensure that our solutions were interoperable with DNSSEC by taking advantage of Verisign's robust testing environment, and we would strongly urge all other Internet stakeholders to do likewise."
Cache poisoning attacks can occur when hackers corrupt DNS data stored on recursive servers to redirect queries to malicious sites. With DNSSEC, a hacker's ability to poison the cache is eliminated for the zones that are signed and the resolvers that are validating signed records. The resulting digital signatures on that DNS data are validated by creating a "chain of trust" that starts with the public key, published in the root zone.
"DNSSEC will only be effective if it is implemented from end to end in an effort that is shared across the Internet," said Pat Kane, Senior Vice President and General Manager of Naming Services at Verisign. "Now following the .net signing, Arbor Networks, Infoblox and RioRey are joining a critical group of forward-thinking Internet companies that are showing the leadership and initiative necessary to make this a truly successful community endeavor. We look forward to helping more Internet stakeholders test their solutions at the DNSSEC Interoperability Lab."
DNSSEC testing is growing ever more crucial as the global roll-out of the security extensions continues. DNSSEC was deployed in the DNS root zone in July and in the .net domain in December. Meanwhile, plans call for Verisign to deploy the .com domain by the end of the first quarter 2011.
In addition to operating the DNSSEC Interoperability Lab, Verisign has rolled out a program to ease DNSSEC deployment and adoption for a wide range of Internet stakeholders. Over the past several months, Verisign has published technical resources, led educational sessions, participated in industry forums and developed tools designed to simplify DNSSEC management.
As part of its effort to ease DNSSEC deployment, Verisign is introducing a new iPhone application called the DNSSEC Analyzer, a mobile tool that can assist in diagnosing problems with DNSSEC-signed names and zones. The application will allow a quick diagnosis of any domain name, allowing knowledgeable users to view debugging information and receive useful tips on how to remediate any problems that are discovered.
The company has also actively provided support to its network of registrars for DNSSEC implementation, including a software development kit (SDK) and a DNSSEC signing and key management service following the signing of.net.
More information on Verisign's DNSSEC plans is available here:
As the global leader in domain names, Verisign powers the invisible navigation that takes people to where they want to go on the Internet. For more than 15 years, Verisign has operated the infrastructure for a portfolio of top-level domains that today include .com, .net, .tv, .edu, .gov, .jobs, .name and .cc, as well as two of the world's 13 Internet root servers. Verisign's product suite also includes Distributed Denial of Service (DDoS) Protection Services, iDefense Security Intelligence Services and Managed DNS. (Learn More)
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DNS Services
Neustar DDoS Protection