VeriSign Will Support DNSSEC In .com By 2011

alphadogg writes "VeriSign has promised to deploy DNS Security Extensions, known as DNSSEC, across all of its top-level domains within two years. DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered last year. (Yesterday we discussed the workarounds coming into place until the US government signs the Internet's root zone.) DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil, and the Czech Republic. Two larger domains — .org operated by the Public Interest Registry and .gov operated by the US government — are deploying DNSSEC this year."

erm...

[XanC]

What takes so long? Why not now?

Re:erm...

[winkydink]

They need time to figure out how to profit from the deployment.

Re:erm...

Many reasons....

The root is just the root...
70 million domains to sign. Think you can just do that on your desktop in a couple of hours? It's going to take an infrastructure of machines to do this. That infrastructure itself is going to need to be secure. And reliable. And backed up. Securely. And with a geographical disaster recovery plan in place. ( A secure one ). And they need to ensure that their root servers ( A and J ) can handle DNSSEC too. Just to be clear, neither A nor J are a single server - you just don't handle more than 50 BILLION queries EVERY SINGLE DAY from a couple of boxes on a T1. VeriSign has a large number of distributed boxes that comprise each root server.

That's just the technology - the easy part. The harder part comes with the business processes needed to support this. New domains will need to be signed. Employees are going to need to be able to do that somehow, but every employee that has access to the root key is a risk to that key Consider that if that key gets compromised the whole stack of cards will come tumbling down, thus requiring those 70M domains to be resigned with a new key. And that new key's cert will need to be published downstream etc. So somehow VeriSign has to come up with business processes that allow new domains to be signed without the root key being compromised. Processes that allow the infrastructure to be administrated and monitored without the root key being compromised etc.

If you're not getting the picture yet, this is really not a trivial exercise.

The good news is that VeriSign has experience with these kinds of problems - running the CAs that sign >90% of the World's PKI certificates has given them that.

Before the usual VeriSign hating slashdot crowd get in here... it's my opinion that VeriSign do a great job with DNS. I can't think of any other service that I pay for that has given me 100% uptime this year alone, let alone for a number of years.

Most corporations strive for five 9s uptime. That allows 5 minutes and 15.35 seconds of downtime in a (non-leap) year. My electricity, water, gas, oil and ISP have all had outages longer than that in the past year, and most of them have outages every year, and yet I pay them a damn sight more than the $7 a year that VeriSign gets for serving my DNS records.

Disclaimer... I'm an ex-employee and small-time stock-holder of VRSN.

DJB causes his own problem here

[DragonHawk]

[citation needed] Or maybe this is "weasel words". In any case, "Says who?"

Everybody *but* DJB. And since DJB has apparently pissed off just about the entire rest of the population of the planet at this point, his pet-project ideas have just about zero chance of being adopted widespread. So, in a very real sense, DNSCurve is by definition the least-good way to secure DNS, because it will never see real adoption.

Whether or not DNSCurve has any good ideas or not doesn't matter, because DJB has burned every bridge to his own little island. And it turns out that a network that doesn't connect to anything isn't very interesting.