Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Will Support DNSSEC In .com By 2011

Posted by kdawson on from the phish-while-you-may dept.

alphadogg writes "VeriSign has promised to deploy DNS Security Extensions, known as DNSSEC, across all of its top-level domains within two years. DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered last year. (Yesterday we discussed the workarounds coming into place until the US government signs the Internet's root zone.) DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil, and the Czech Republic. Two larger domains — .org operated by the Public Interest Registry and .gov operated by the US government — are deploying DNSSEC this year."

3 of 39 comments (clear)

  1. Re:erm... by winkydink · · Score: 5, Insightful

    They need time to figure out how to profit from the deployment.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  2. Re:erm... by thue · · Score: 5, Informative

    Because when released it will reduce the profit from their certificate signing business, as people can get end-to-end public key encryption just by updating their DNS entry.

  3. Re:erm... by Anonymous Coward · · Score: 5, Insightful

    Many reasons....

    The root is just the root...
    70 million domains to sign. Think you can just do that on your desktop in a couple of hours? It's going to take an infrastructure of machines to do this. That infrastructure itself is going to need to be secure. And reliable. And backed up. Securely. And with a geographical disaster recovery plan in place. ( A secure one ). And they need to ensure that their root servers ( A and J ) can handle DNSSEC too. Just to be clear, neither A nor J are a single server - you just don't handle more than 50 BILLION queries EVERY SINGLE DAY from a couple of boxes on a T1. VeriSign has a large number of distributed boxes that comprise each root server.

    That's just the technology - the easy part. The harder part comes with the business processes needed to support this. New domains will need to be signed. Employees are going to need to be able to do that somehow, but every employee that has access to the root key is a risk to that key Consider that if that key gets compromised the whole stack of cards will come tumbling down, thus requiring those 70M domains to be resigned with a new key. And that new key's cert will need to be published downstream etc. So somehow VeriSign has to come up with business processes that allow new domains to be signed without the root key being compromised. Processes that allow the infrastructure to be administrated and monitored without the root key being compromised etc.

    If you're not getting the picture yet, this is really not a trivial exercise.

    The good news is that VeriSign has experience with these kinds of problems - running the CAs that sign >90% of the World's PKI certificates has given them that.

    Before the usual VeriSign hating slashdot crowd get in here... it's my opinion that VeriSign do a great job with DNS. I can't think of any other service that I pay for that has given me 100% uptime this year alone, let alone for a number of years.

    Most corporations strive for five 9s uptime. That allows 5 minutes and 15.35 seconds of downtime in a (non-leap) year. My electricity, water, gas, oil and ISP have all had outages longer than that in the past year, and most of them have outages every year, and yet I pay them a damn sight more than the $7 a year that VeriSign gets for serving my DNS records.

    Disclaimer... I'm an ex-employee and small-time stock-holder of VRSN.