Home / Blogs

Driving DNSSEC: The Need for Integration of All the Functions Needed

Bruce Van Nice

DNSSEC continues to gain momentum as network operators and domain owners watch and learn from early adopters. The learning process is made easier by efforts such as the ongoing work conducted by researchers at Sandia labs to methodically identify and categorize the kinds of problems that are occurring.

The early experience has validated the need for integration of all the functions needed for DNSSEC. It's not realistic to expect DNS administrators to pull together all the piece parts that are needed. Automation is also essential, if technically astute organizations are tripped up by mandatory maintenance and intricate processes (like rolling over Key Signing Keys) then others will be too.

Evidence of the value of better tools can be found out in the marketplace. Comcast recently promoted their deployment of DNSSEC across their network of more than 18 million subscribers and signing of more than 5000 domains. They've demonstrated DNSSEC can be deployed at massive scale by taking advantage of better DNS software. Adoption of every new technology accelerates when a major player takes the lead, a large scale deployment validates what is possible and positions DNSSEC at the base of the power curve.

DNSSEC has also been on the agenda at the United States Federal Communications Commission (FCC). In a recent speech Julius Genachowski, Chairman of the FCC, not only urged service providers to take voluntary action to deter the spread of botnets, he also urged them to adopt DNSSEC.

ISPs that adopt DNSSEC, Genachowski said, "can provide a real and tangible benefit to the consumers and businesses that rely on them." He pushed ISPs to implement it "as soon as possible."

Directly from his speech: "If they adopt DNSSEC, ISPs can provide a real and tangible benefit to the consumers and businesses that rely on them. DNSSEC is ready to be implemented. Indeed, at least one major U.S. ISP has already completed implementation of DNSSEC."

As security becomes a part of brand equity, service providers and domain owners everywhere will recognize the value of improving their stature. Leadership on the part of large ISPs demonstrate that with the right tools even complex technologies like DNSSEC can be deployed and deliver real benefits to end users. Better still, security also does not have to exist in isolation but can be part of a larger strategy that incorporates other business enhancing initiatives such as subscriber loyalty and business intelligence.

By Bruce Van Nice, Director of Product Marketing at Nominum

Related topics: Cybersecurity, DNS, DNS Security


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


I'm sorry David A. Ulevitch  –  Apr 18, 2012 8:39 PM PDT

Creating an echo chamber doesn't create security.  I'm sorry to be the contrarian here, but this is simply furthering false assumptions.  First, Genachowski is simply repeating already inaccurate rhetoric that he has been supplied. 

Automation is not security.  Automation for DNSSEC is not security. 

DNSSEC doesn't provide encryption (though, shockingly, many technologists I talk with believe it does!). 

DNSSEC centralizes points of failure and introduces brittleness into a robust system.  Key rollover has been a pain point for nearly everyone.  False signings has forced Comcast to short circuit DNSSEC validation (and therefore disabling DNSSEC!). 

The lack of application support makes the difference between an error and a DNSSEC validation equivalent to users which is a terrible user experience.

Lastly, mechanisms to provide trust and authenticity are better deployed in a distributed fashion like the EFF's https://www.eff.org/sovereign-keys project.

There is a big business around pushing DNSSEC, but I'm hard pressed to see how it will actually improve end-user security.

It's not an echo chamber Bruce Van Nice  –  Apr 20, 2012 10:49 AM PDT

Hi David:

Thanks for your comments.

Couple of things – first I am not suggesting automation equals security – but rather DNSSEC can be made more deployable, and some of the early problems can be addressed, with more automated tools.  I don’ think this is an especially controversial point. 

The lack of encryption in DNSSEC isn’t an oversight – it’s by design - so shouldn’t be “shocking”.  The authentication and data integrity services it provides can rightfully be called security. 

It’s not just Genachowski advocating for DNSSEC – as you well know there are a multitude of Internet and security experts who are behind it. 

The good news about our industry is it’s always open to better solutions – that’s the essence of the Internet – perhaps some will emerge in this area.
For now we’ve made a lot of progress with DNSSEC, and as the editorial suggests, with better tools we can make even more, that can only be for the good. 
There is a strong belief that the investment in DNSSEC will pay off when sensitive applications, such as banking or commerce, can truly trust the data they get from the DNS.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll