VeriSign Strengthens DNS For IPv6
As VeriSign works to ready its other systems for IPv6, it helps scale DNS for the challenge ahead.
Sitting at the heart of the Internet itself are the key A and J root DNS servers (define) that help to ensure that Internet traffic goes where it's intended.
So it only makes sense that for the coming IPv6 adoption to actually occur, those two root servers need to be on-board. Fortunately, that's exactly what's happening.
In an e-mail sent to InternetNews.com, VeriSign CTO Ken Silva confirmed that his company, which operates the two root servers, took part in the recent addition of IPv6 records to root DNS servers.
VeriSign said it has been working with the Internet Assigned Numbers Authority (IANA) -- the organization that assigns IP addresses -- on this enhancement to the root servers. The association mandated that by Feb. 4, at least four of the key root DNS servers must include AAAA records, which identify IPv6 addresses.
Thee addition of AAAA records, "enables the root servers to be queried and respond within the IPv6 network environment," Silva said.
The effort represents just a portion of the efforts VeriSign is undertaking as it seeks to ensure its DNS infrastructure can meet the demands of IPv6 -- and the growing needs of the Internet as a whole.
Last year, the company announced Project Titan, a multi-year initiative to strengthen the critical Internet infrastructure and expand its capacity tenfold by the year 2010.
VeriSign has previously stated the value of the Titan investment to be in the $100 million range. The initiative is expected to scale VeriSign's infrastructure from 20 gigabits per second (Gbps) capacity to more than 200Gbps. It's also expected to expand the daily DNS query volume that VeriSign can handle from 400 billion to 4 trillion.
VeriSign is also planning on increasing the security of DNS with DNS Security Extensions (DNSSEC), specifications that add integrity and authentication checks to DNS data. Silva said VeriSign is launching a DNSSEC testing effort in second quarter as part of that effort.
DNSSEC isn't new to the broader DNS world outside of VeriSign, with the leading open source BIND DNS server having included DNSSEC for years.
"Implementing DNSSEC in BIND is only one of many components required to enable DNSSEC in the root zone," Silva said. "VeriSign's test bed is intended to facilitate the technical progress and operational processes, as well as the policy issues that must be addressed in order to fully DNSSEC-enable the root."
The goal of such efforts is to have the root zone anchor the global chain of trust for TLD (define) registry operators who implement DNSSEC within their TLDs, and for registrars who provide DNSSEC services for their customers.
"It means the root process will include the ability for the root zone and TLDs to add their keys to the process for their zones," Silva said.
In addition to the security and IPv6 improvement, VeriSign is also working on improving the efficiency of its root-zone DNS.
"VeriSign has deployed a new automated, root-zone provisioning system for operational testing in coordination with IANA," Silva said. "Upon the completion of testing by IANA, this system will provide an easier interface for TLD registry operators to submit changes to update to the root zone."
The general idea behind the system is to increase the overall efficiency, accuracy and speed of DNS changes by automating processes that are currently very time-consuming and cumbersome.
"These key security and operational upgrades are vital to managing the surge in Internet interactions and helping to protect against cyber attacks that are growing in both scale and sophistication," Silva said.
Article courtesy of InternetNews.com