CircleID

With each new real-world test of DNS Security Extensions (DNSSEC), technologists gain a better understanding of how to maximize the security benefits of DNSSEC while minimizing compatibility and implementation issues. As DNSSEC is deployed ever more broadly, this disciplined commitment to testing will be the key to ensuring that the technology achieves its full potential to strengthen trust and security in the DNS.

A recent test of DNSSEC in the .edu domain demonstrated the value of this disciplined approach. Conducted by VeriSign and EDUCAUSE — the nonprofit higher-education group that manages the .edu domain — the testbed process gave universities greater confidence in their ability to effectively implement DNSSEC on their networks.

Even as it helped universities, the testbed also provided critical information that VeriSign can use to ensure that larger DNSSEC implementations are conducted in a way that provides maximum benefit and minimum disruption to users.

The .edu testbed, like the others that have come before it, represents a vital step toward the global deployment of DNSSEC, which will add an important new layer of security to online communication and commerce by limiting the ability of criminals to forge DNS data and putting an end to the serious threat of so-called "cache poisoning."

VeriSign provides registry services for the .edu domain on behalf of EDUCAUSE. With a comparatively small registrant base and highly skilled technical administrators at those registrants' institutions, .edu represented an ideal environment in which to conduct a fully integrated DNSSEC testbed. The process tested interactions between registrants and registrar, as well as between registrar and registry, and culminated in users being able to provision and then perform real-world DNS validations on the DNSSEC-enabled names (via test nameservers).

The testbed gave us an opportunity to take a closer look at some of the continuing challenges to establishing an effective DNSSEC implementation. At a technical level, the activities in the testbed underscored the importance of understanding the more complex operational practices that come along with DNSSEC, including cryptographic-key generation and rollover.

We know from the testbed that we still have work to do to ensure that DNSSEC signing and key-management functions will be simple and transparent to all within the continuum of the key-signing process.

In support of our continuing work to ease the implementation of DNSSEC into the Internet infrastructure, VeriSign is extending this "end-to-end" testing environment to its Registrar community for the .com and .net top-level domains. The aim will be to provide the registrar community members with a place where they can verify their DNSSEC implementations in a controlled environment.

Another resource that VeriSign is offering to registrars and other organizations is our DNSSEC Interoperability Lab. Opened to members of the DNS and Internet communities earlier this year, the DNS Interoperability Lab allows solution and service providers to determine if DNS packets containing DNSSEC information will cause problems for their Internet and enterprise infrastructure components.

The goal of the Interoperability Lab is to help identify and address potential compatibility issues throughout the DNS, from the core of the network to the end-user. Each issue the community can identify today, in a lab setting, is one less that will impact users as DNSSEC reaches global adoption. Companies like Cisco and Juniper have already used the lab to test DNSSEC compatibility.

For VeriSign, all of this testing serves to further the process of implementing DNSSEC in .net and .com in a manner that provides the maximum benefit to users while causing the least confusion and disruption. As we move to implement DNSSEC in much larger, less homogenous zones, we fully expect that the number of issues we will discover will increase. But a disciplined approach will ensure that we are prepared for any eventuality.

By Chris Klein, Product Manager at VeriSign

Related topics: DNS, DNSSEC, Registry Services, Security, Top-Level Domains