Home / Blogs

Three Reasons Why It Makes Sense to Deploy DNSSEC Now

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

As many of you may know, today .ORG announced that all of its 8.5 million domains are now able to be fully DNSSEC signed — the largest set of domain names in the world so far that has access to this key security upgrade. We congratulate Public Interest Registry (PIR) on this landmark event, and are pleased that NamesBeyond is the first domain name registrar to support full DNSSEC signing for all of these domains.

A few years ago, Dan Kaminsky widely exposed a nasty hole on the Internet. Long known as cache poisoning, a problem the domain name system community was familiar with, Dan demonstrated a way of modifying DNS records in a way that would be widespread, catastrophic and not curable by the end-user. Working with security vendors, DNS software companies and operating system creators, a temporary workaround was found for this cache poisoning problem. Of course, at the end of this saga, cache poisoning became forever known as the "Kaminsky bug."

The widespread publicity that the Kaminsky bug got around the world vindicated a decision made in several companies to invest time, effort and money into deploying DNSSEC. The community was split on the value of the DNSSEC effort — many thought the deployment was quixotic, while a few others thought it was appropriate.

Reason 1: DNSSEC is part of the future Internet

With more and more of the world's economy and transactions depending on the Internet, the Domain Name System (DNS) which underpins the Internet is now an essential and required global resource. Business owners expect that service providers such as registrars, registries, and ISPs invest in strong security measures. They also desire a system that is easy to understand, quickly usable and easily manageable. A more secure namespace is going to be the reality for the future.

For over a decade, engineers have been working on implementing DNSSEC. In this process, these engineers have had to explain why they were implementing this technology. As recently as 2007, it became clear that one of the important technologies in the deployment of DNSSEC, called NSEC, needed to be upgraded. Our customers have no interest and really, not much desire to understand why the upgrade was needed; they only wanted to know that it was implemented.

For the registrar, registry and network provider universe, DNSSEC is clearly an essential component of the future of the Internet. What is now a trickle is likely to soon become a flood.

Reason 2: Security can be a differentiator

Dan Kaminsky recently said, "It is in fact possible to have registrars that have much more attention paid for security and treat that as a competitive advantage." The fact, however, is that very few registrars in the marketplace actually leverage these principles in their own practice.

As the marketplace has evolved, the need to guide corporate behavior based on the online safety and well-being of business people and individuals. Three core values: safety, quality and stability, are essential for the proper functioning of the DNS marketplace.

These values can be part of the domain name ecosystem. While registrars, registries and ISPs have to necessarily compete in the overall marketplace on values more than the three above, in the past few years, the biggest element of competition has been price. Volume flows to those who offer among the lowest prices online.

There are those who are building mechanisms that enhance security. It is clear that their hope is to realize a higher value for such services as a result.

Reason 3: Companies will move to a more secure model

As the Internet becomes essential to the success or failure of companies, a move to a more secure model is inevitable. After all, this has already happen in the world of e-commerce, with trust in online transactions being secured by SSL. Companies willingly pay hundreds of dollars to provide enhanced security for their customers.

Once companies understand that their own domain names can be upgraded with DNSSEC so that DNS spoofing becomes impossible, then they will adopt this technology. Especially if this technology is implemented in a way that its benefits are easy to understand, it is easy to access the upgrade, and it is possible to downgrade if necessary.

Dan Kaminsky predicts there will soon come a time where registrars are engaged in a "race to the top", where higher quality and better security becomes the norm. Those who believe in this concept are those who are likely to invest in DNSSEC.

By Uma Murali, President & CEO

Related topics: Cybersecurity, DNS, DNS Security, Domain Names, Registry Services, Top-Level Domains

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

.SPACE Becomes the Choice of the First Ever Space Nation Asgardia

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service