VeriSign Introduces Services to Simplify DNSSEC Deployment
VeriSign has announced a new service that it hopes will make DNSSEC adoption easier on network administrators.
In the summer of 2008, Dan Kaminsky demonstrated the inherent vulnerability in unsecured DNS. Since then, Top Level Domain (TLD) registries and registrars have been racing to secure their infrastructure with DNSSEC (DNS Security Extensions) which provide a degree of cryptographic authenticity to DNS information.
"DNSSEC introduces new parameters to DNS that were not previously part of the provisioning and management process," Pat Kane, Assistant General Manager of Naming Services at VeriSign, told InternetNews.com. "DNSSEC introduces the concept of cryptographically signing domain names and the concept of expiring signatures."
Kane added that DNSSEC also adds a signing step to the process of updating a DNS zone. The signing process involves constant, ongoing maintenance including periodic resigning to refresh signatures that must be performed or validation failures will result.
"In addition, DNSSEC also introduces key management, which is completely new to DNS," Kane said. "The keys must be kept safe, since the security of DNSSEC relies on the security of the cryptographic keys. The keys need to be handled properly and this is a skill set not everyone has."