Home / Blogs

Three Reasons Why It Makes Sense to Deploy DNSSEC Now

As many of you may know, today .ORG announced that all of its 8.5 million domains are now able to be fully DNSSEC signed — the largest set of domain names in the world so far that has access to this key security upgrade. We congratulate Public Interest Registry (PIR) on this landmark event, and are pleased that NamesBeyond is the first domain name registrar to support full DNSSEC signing for all of these domains.

A few years ago, Dan Kaminsky widely exposed a nasty hole on the Internet. Long known as cache poisoning, a problem the domain name system community was familiar with, Dan demonstrated a way of modifying DNS records in a way that would be widespread, catastrophic and not curable by the end-user. Working with security vendors, DNS software companies and operating system creators, a temporary workaround was found for this cache poisoning problem. Of course, at the end of this saga, cache poisoning became forever known as the "Kaminsky bug."

The widespread publicity that the Kaminsky bug got around the world vindicated a decision made in several companies to invest time, effort and money into deploying DNSSEC. The community was split on the value of the DNSSEC effort — many thought the deployment was quixotic, while a few others thought it was appropriate.

Reason 1: DNSSEC is part of the future Internet

With more and more of the world's economy and transactions depending on the Internet, the Domain Name System (DNS) which underpins the Internet is now an essential and required global resource. Business owners expect that service providers such as registrars, registries, and ISPs invest in strong security measures. They also desire a system that is easy to understand, quickly usable and easily manageable. A more secure namespace is going to be the reality for the future.

For over a decade, engineers have been working on implementing DNSSEC. In this process, these engineers have had to explain why they were implementing this technology. As recently as 2007, it became clear that one of the important technologies in the deployment of DNSSEC, called NSEC, needed to be upgraded. Our customers have no interest and really, not much desire to understand why the upgrade was needed; they only wanted to know that it was implemented.

For the registrar, registry and network provider universe, DNSSEC is clearly an essential component of the future of the Internet. What is now a trickle is likely to soon become a flood.

Reason 2: Security can be a differentiator

Dan Kaminsky recently said, "It is in fact possible to have registrars that have much more attention paid for security and treat that as a competitive advantage." The fact, however, is that very few registrars in the marketplace actually leverage these principles in their own practice.

As the marketplace has evolved, the need to guide corporate behavior based on the online safety and well-being of business people and individuals. Three core values: safety, quality and stability, are essential for the proper functioning of the DNS marketplace.

These values can be part of the domain name ecosystem. While registrars, registries and ISPs have to necessarily compete in the overall marketplace on values more than the three above, in the past few years, the biggest element of competition has been price. Volume flows to those who offer among the lowest prices online.

There are those who are building mechanisms that enhance security. It is clear that their hope is to realize a higher value for such services as a result.

Reason 3: Companies will move to a more secure model

As the Internet becomes essential to the success or failure of companies, a move to a more secure model is inevitable. After all, this has already happen in the world of e-commerce, with trust in online transactions being secured by SSL. Companies willingly pay hundreds of dollars to provide enhanced security for their customers.

Once companies understand that their own domain names can be upgraded with DNSSEC so that DNS spoofing becomes impossible, then they will adopt this technology. Especially if this technology is implemented in a way that its benefits are easy to understand, it is easy to access the upgrade, and it is possible to downgrade if necessary.

Dan Kaminsky predicts there will soon come a time where registrars are engaged in a "race to the top", where higher quality and better security becomes the norm. Those who believe in this concept are those who are likely to invest in DNSSEC.

By Uma Murali, President & CEO

Related topics: DNS, DNS Security, Domain Names, Registry Services, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Officially Compromised Privacy

The Emotional Cost of Cybercrime

Why I Wrote 'Thinking Security'

Regulation and Reason

In Network Security Design, It's About the Users

Related News


Industry Updates – Sponsored Posts

Radix's .ONLINE Fastest to Sell 100,000 Domains

.PRO Domains Now Available to All

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

The ".law" Domain Gains Momentum Throughout the Legal Profession

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Measuring DNS Performance for the User Experience

LogicBoxes Announces Pioneer Registrar Program

Portfolio Update: October Launches and Renewal Rates

We're Moving Forward. You Coming?

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

City of Miami 3rd in U.S. to Launch Dedicated TLD

Internet Grows to 296 Million Domain Names in Q2 2015

.Online Becomes the Fastest TLD to Sell 50,000 Domains

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

.ONLINE GA Launches with 28,000 Registrations in the First 30 Minutes

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

.ONLINE Sees the Biggest Generic Sunrise Ever

Sponsored Topics