As many of you may know, today .ORG announced that all of its 8.5 million domains are now able to be fully DNSSEC signed — the largest set of domain names in the world so far that has access to this key security upgrade. We congratulate Public Interest Registry (PIR) on this landmark event, and are pleased that NamesBeyond is the first domain name registrar to support full DNSSEC signing for all of these domains.
A few years ago, Dan Kaminsky widely exposed a nasty hole on the Internet. Long known as cache poisoning, a problem the domain name system community was familiar with, Dan demonstrated a way of modifying DNS records in a way that would be widespread, catastrophic and not curable by the end-user. Working with security vendors, DNS software companies and operating system creators, a temporary workaround was found for this cache poisoning problem. Of course, at the end of this saga, cache poisoning became forever known as the "Kaminsky bug."
The widespread publicity that the Kaminsky bug got around the world vindicated a decision made in several companies to invest time, effort and money into deploying DNSSEC. The community was split on the value of the DNSSEC effort — many thought the deployment was quixotic, while a few others thought it was appropriate.
Reason 1: DNSSEC is part of the future Internet
With more and more of the world's economy and transactions depending on the Internet, the Domain Name System (DNS) which underpins the Internet is now an essential and required global resource. Business owners expect that service providers such as registrars, registries, and ISPs invest in strong security measures. They also desire a system that is easy to understand, quickly usable and easily manageable. A more secure namespace is going to be the reality for the future.
For over a decade, engineers have been working on implementing DNSSEC. In this process, these engineers have had to explain why they were implementing this technology. As recently as 2007, it became clear that one of the important technologies in the deployment of DNSSEC, called NSEC, needed to be upgraded. Our customers have no interest and really, not much desire to understand why the upgrade was needed; they only wanted to know that it was implemented.
For the registrar, registry and network provider universe, DNSSEC is clearly an essential component of the future of the Internet. What is now a trickle is likely to soon become a flood.
Reason 2: Security can be a differentiator
Dan Kaminsky recently said, "It is in fact possible to have registrars that have much more attention paid for security and treat that as a competitive advantage." The fact, however, is that very few registrars in the marketplace actually leverage these principles in their own practice.
As the marketplace has evolved, the need to guide corporate behavior based on the online safety and well-being of business people and individuals. Three core values: safety, quality and stability, are essential for the proper functioning of the DNS marketplace.
These values can be part of the domain name ecosystem. While registrars, registries and ISPs have to necessarily compete in the overall marketplace on values more than the three above, in the past few years, the biggest element of competition has been price. Volume flows to those who offer among the lowest prices online.
There are those who are building mechanisms that enhance security. It is clear that their hope is to realize a higher value for such services as a result.
Reason 3: Companies will move to a more secure model
As the Internet becomes essential to the success or failure of companies, a move to a more secure model is inevitable. After all, this has already happen in the world of e-commerce, with trust in online transactions being secured by SSL. Companies willingly pay hundreds of dollars to provide enhanced security for their customers.
Once companies understand that their own domain names can be upgraded with DNSSEC so that DNS spoofing becomes impossible, then they will adopt this technology. Especially if this technology is implemented in a way that its benefits are easy to understand, it is easy to access the upgrade, and it is possible to downgrade if necessary.
Dan Kaminsky predicts there will soon come a time where registrars are engaged in a "race to the top", where higher quality and better security becomes the norm. Those who believe in this concept are those who are likely to invest in DNSSEC.
By Uma Murali, President & CEO
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DDoS Protection
Minds + Machines
Neustar DNS Services