DNSSEC for Policymakers
DNSSEC adoption is gaining momentum as governments, financial institutions, internet service providers (ISPs), businesses and other organisations become increasingly aware of DNS-related threats.
The internet plays a critical role in government, commerce, communications and national security programs around the world. Domain Name System Security Extension (DNSSEC) provides an additional layer of security to help maintain trust in this vital resource. It will be most effective when adopted by the entire internet community. Find out about what DNSSEC means for you, issues to consider, and how Verisign is actively participating in the rollout of DNSSEC across the internet.
DNSSEC is most effective when universally implemented - starting at the top of the internet hierarchy (the root zone and top-level domains) and moving down to individual domain names.
The size, complexity and impact of a global DNSSEC effort suggests that policymakers in government and the private sector play a vital role in DNSSEC success. Working at the national and international levels on telecommunications, technical standards, commerce, law enforcement, national security and defence, policymakers have the visibility, influence and reach to positively affect the momentum and course of DNSSEC.
High-Level Benefits
DNSSEC presents opportunities for all members of the internet ecosystem. The most direct and widespread impact is on end users and the organisations they interact with. By adding another layer of security to the internet, DNSSEC provides the following types of benefits:
| ECOSYSTEM MEMBER | BENEFIT |
|---|---|
| Internet community (e.g. website operators involved in e-commerce, government, financial services or business) | Significantly improved security infrastructure that increases trust in the internet |
| End users | Reduced risk of unintended redirection to fraudulent websites (caused by man-in-the-middle or cache poisoning attacks) which could lead to identity theft and other security compromises |
| Registrars | Competitive advantage for early adopters; opportunity to provide revenue-generating, enhanced security offerings to customers |
| Internet service providers (ISPs) | Increased data security for internet users who take advantage of an ISP’s name server service for internet navigation |
| Hardware and software vendors | Opportunity to provide new products and solutions |
DNSSEC implementation is not a trivial task. It requires considerable resources, documentation, testing and industry coordination. It also introduces complex changes that affect some members of the internet ecosystem more than others. You will need to consider these complexities when recommending or implementing policies, timelines and other guidelines.
- Registrars must upgrade their systems to interface with a DNSSEC-enabled registry, provide a mechanism for customers to send their DNSSEC key material to the registrar, and (if the registrar provides DNS hosting services) add complex, resource-intensive DNSSEC key management and signing services.
- ISPs must enable DNSSEC on their recursive name servers, ensure device compatibility and be mindful that DNSSEC response packets are potentially larger than traditional DNS packets and may increase bandwidth requirements.
- Hardware and software vendors must upgrade existing products and develop new products that are compatible with DNSSEC and support DNSSEC services.
Each of these processes is complex, impacts system operations, requires extensive testing and can take many months.
Any rollout of DNSSEC should proceed in phases, especially for the reliable operation of globally crucial top-level domains (TLDs) such as .com and .net. Long-term strategy, planning and collaboration - not only within and across organisations and industries, but also internationally - create a strong foundation for successful implementation.
Verisign is committed to serving as a trusted steward of the internet. As the registry for .com and .net and a provider of critical internet infrastructure services, our goal is to enable the internet’s future innovations while protecting the internet community from new and emerging cyber threats. Our work on DNSSEC is another step in our ongoing fortification of, and investment in, critical internet infrastructure.
Verisign has been involved in DNSSEC development since 2000, and our engineers played a leading role in the development of the DNSSEC Hashed Authenticated Denial of Existence (NSEC3) protocol. As DNSSEC testing, implementation and adoption move forward, we continue to collaborate with the internet technical community and participate in industry organisations such as the DNSSEC Coalition.
To assist with understanding the implications of a DNSSEC-enabled environment, Verisign deployed a DNSSEC Interoperability Lab. The Interoperability Lab was a standalone environment with a suite of more than 8,000 test cases and allowed members of the IT community to test the compatibility of their internet and business infrastructure components with DNSSEC.
In July 2010, Verisign - working with the Internet Assigned Numbers Authority (IANA) and the US Department of Commerce (DoC) - completed deployment of DNSSEC in the root zone (the starting point of the DNS hierarchy). Verisign also enabled DNSSEC for .edu in July in collaboration with EDUCAUSE and the DoC, .net in December 2010 and .com in March 2011. In addition, a number of top-level domains (TLDs) have been signed by other registries, including .gov and .org, and country code TLD names for Brazil, Bulgaria, Czech Republic, Puerto Rico and Sweden.
In addition, we are taking many steps to help members of the internet ecosystem take advantage of DNSSEC. These steps include publishing technical resources, providing an Operational Test Environment, leading educational sessions, participating in industry forums and developing tools to simplify DNSSEC management.
NEED MORE INFO?
- +1-703-925-6999
- Email an Expert
- Chat with Support