VeriSign is reporting no serious problems with its ongoing deployment of DNS Security Extensions (DNSSEC) on the Internet's root servers and on the top-level domain servers that it operates, including the systems that power the popular .com and .net domains.
Matt Larson, vice president of DNS Research at VeriSign, says the registry operator is on schedule with its rollout of DNSSEC, an emerging Internet standard that prevents spoofing attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS heirarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.
Once it is widely deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
"The planned date for the root servers supporting DNSSEC is 1 July, and we're still proceeding with that date," Larson says. "We've started roll out of the signed root on two of the 13 root servers, and those deployments have gone well. We've not had any indication from our measurement or analysis that there's a problem with that date… Everything is proceeding nicely with the root servers, and the same is true with .com, .net and .edu."
Larson says VeriSign will support DNSSEC in the .edu domain used by US colleges and universities in the second quarter, and in the .net domain used by carriers and service providers in the fourth quarter.
The .com domain - the Internet's most popular top-level domain with more than 80 million registered names - will support DNSSEC in the first quarter of 2011, VeriSign says.
The only difficulty that VeriSign has run into with its DNSSEC deployments is that some legacy hardware and software such as firewalls and load balancers can't handle the larger packets that are sent with DNSSEC.
"DNSSEC-enabled traffic is slightly different than the DNS traffic we've had in the past. The packets are larger…Based on anecdotal information, there are some pieces of equipment that have issues with this," Larson says, pointing out that some network gear has default configurations limiting DNS packets to 512 bytes whereas DNSSEC packets can be as large as 4KB.
To help the Internet industry prepare for DNSSEC, VeriSign has opened an interoperability lab in Dulles, Va., where network hardware and software vendors can test their products to make sure they support DNSSEC. Cisco and Juniper Networks are among the vendors that have been testing their products in the VeriSign lab.
"We're not certifying equipment, and we're not doing performance testing," Larson says. "Our interoperability lab is a free service for anybody who wants to see how their gear is going to fare in the DNSSEC environment. We will run our battery of tests, and it's up to them to decide what to do."
VeriSign says it opened the interoperability lab because it is trying to promote DNSSEC.
"We are investing in signing the root zone and signing .com and .net, but doing that alone won't be enough for DNSSEC deployment," Larson says. "The idea [of the interoperability lab] is to highlight the issue so everybody on the Internet is aware that DNSSEC is coming."
Momentum has been building for DNSSEC since the Kaminsky bug was discovered.
Other top-level domains that are in the process of deploying DNSSEC or have already done so include the US federal government's .gov domain, the Public Interest Registry's .org domain for non-profits and country code top-level domains operated by Sweden, Puerto Rico, Bulgaria and Brazil.
In other DNSSEC news, Comcast is the first US carrier to announce a public trial of its DNSSEC signing and resolution services