imgSubHeaderWhyVerisignAlt
Innovation + Initiatives

As the Internet continues to expand, we are committed to creating and driving advancements that keep the Internet fast, safe, and reliable for all users.

Frequently Asked Questions  

The Domain Name System (DNS)

What is the DNS?
How does the DNS work?
Why is DNS vulnerable?
What is cache poisoning?
What are man-in-the-middle (MITM) attacks?

DNSSEC

What does DNSSEC do?
Who benefits from DNSSEC?
How does DNSSEC work?
How well does DNSSEC solve the overall problem of Internet security?
How would a user be informed of an attack?
What is Verisign doing to implement DNSSEC?
What is Verisign's DNSSEC deployment strategy?
What's required to make DNSSEC a success?
Who has adopted or deployed DNSSEC?
Once DNSSEC is deployed, do I still need Secure Sockets Layer (SSL)?
Is DNSSEC required by law or industry standards?
What's the history of DNSSEC?

Registrars

How does the implementation of DNSSEC impact registrars?
What is Verisign doing to help .com/.net registrars?
Are consumers able to purchase DNSSEC? How does this work?

ISPs, Vendors, and Website Operators (Registrants)

What do internet service providers (ISPs) need to do?
What role do hardware vendors play in DNSSEC?
How can software developers support DNSSEC?
What is the Verisign DNSSEC Interoperability Lab?
How can website operators enable DNSSEC?
What role do policymakers play in the success of DNSSEC?

 

The Domain Name System (DNS) Answers

What is the DNS? 
The DNS is the addressing system for the Internet. Almost anything that interfaces with the Internet (e.g., computers, mobile devices, laptops, ATMs, and POS terminals) relies on DNS services to exchange information. DNS uses specialized servers to translate (or resolve) names such as www.verisigninc.com into numeric addresses that allow data and information to reach its destination. All Internet applications—ranging from websites, email, social networking, and online banking to Voice over Internet Protocol (VoIP), file sharing, and video on demand—depend on the accuracy and integrity of this translation. Without the DNS, the Internet cannot function. The DNS is integral to a nation's critical infrastructure, online business operations and financial transactions, and all Internet-based communications. Back to top

How does the DNS work? 
The domain name space consists of a tree of domain names, subdivided into zones. The top-level or root zone is administered by the U.S. Department of Commerce (DoC) and jointly managed by Verisign and the Internet Assigned Numbers Authority (IANA) functions operator, who maintain the data in the root name servers. Learn more about DNS.

A DNS zone consists of a collection of connected nodes served by an authoritative name server. Authoritative name servers for different zones are responsible for publishing the mappings of domain names to IP addresses. Each node or leaf in the tree has zero or more resource records that hold information associated with the domain name. Every domain name ends with a top-level domain (TLD) such as .com or .tv.

For the Internet to function and to prevent duplication of domain names, there must be one authoritative place to register a domain name. Each TLD has an authoritative registry, which manages a centralized database. The registry propagates the information about domain names and IP addresses in TLD zone files. TLD zone files map active second-level domain names (the portion of the domain name that appears immediately to the left of ".") to the unique IP addresses of the name servers. Learn more about domain names and registration. Back to top

Why is DNS vulnerable? 
Why is DNS vulnerableThe process of translating a domain name into an IP address is called DNS resolution. When someone types a domain name, such as www.verisigninc.com, into a web browser, the browser contacts a name server to obtain the corresponding IP address. There are two types of name servers: authoritative name servers, which store complete information about a zone, and recursive name servers, which answer DNS queries for Internet users and store DNS response results for a period of time. When a recursive name server receives a response, it caches (stores) it to speed up subsequent queries. Caching helps reduce the number of information requests required, but it is susceptible to man-in-the-middle attacks.

As a result of these attacks, cyber criminals can:

  • Hijack emails
  • Tap Voice over IP (VoIP)
  • Impersonate websites
  • Steal passwords and login information
  • Extract credit card data and other confidential information

Learn more about threats to the DNS system. Back to top

What is cache poisoning? 
Cache poisoning occurs when fraudulent DNS data is inserted into the cache of a recursive name server. Recursive name servers temporarily store, or cache, information learned during the name resolution process, but without DNSSEC they have no way to ensure the validity and accuracy of this information. When malicious information is cached on the recursive name server, the server is considered "poisoned." Cache poisoning allows an attacker to redirect traffic to fraudulent sites. Back to top

What are man-in-the-middle (MITM) attacks? 
A MITM attack surreptitiously intercepts and modifies communications between two systems. The attacker can potentially modify the communication to redirect traffic to an illegitimate address or website. End users do not detect the "man in the middle" and assume that they are communicating directly with their intended destination. Back to top

DNSSEC Answers

What does DNSSEC do? 
DNSSEC protects the Internet community from forged DNS data by using public key cryptography to digitally sign authoritative zone data. DNSSEC validation assures users that the data originated from the stated source and that it was not modified in transit. DNSSEC can also prove that a domain name does not exist.

Although DNSSEC enhances DNS security, it's not a comprehensive solution. It does not protect against distributed denial of service (DDoS) attacks, ensure confidentiality of data exchanges, encrypt website data, or prevent IP address spoofing and phishing. Other layers of protection, such as DDoS mitigation, security intelligence, Secure Sockets Layer (SSL) encryption and site validation, and two-factor authentication, are also critical to making the Internet more secure. These mechanisms should be used in conjunction with DNSSEC. Back to top

Who benefits from DNSSEC? 
DNSSEC affects every component within the Internet infrastructure ecosystem. Its effective deployment requires the involvement of many stakeholders within the Internet community. Registries, registrars, domain name registrants, hardware and software vendors, ISPs, government entities, and ordinary Internet users all have roles to play to ensure success and bring vital improvements to Internet security.

DNSSEC benefits:

  • The Internet community by improving security in the zones that are signed.
  • Registrars by allowing them to offer domain signing services to their customers.
  • ISPs by increasing the security of the data returned to their customers.
  • Users by protecting them from DNS vulnerabilities such as cache poisoning and man-in-the-middle attacks.

Back to top

How does DNSSEC work? 
In DNSSEC, each zone has a public/private key pair. The zone's public key is published using DNS, while the zone's private key is kept safe and ideally stored offline. A zone's private key signs individual DNS data in that zone, creating digital signatures that are also published with DNS.

DNSSEC uses a rigid trust model, and this chain of trust flows from parent zone to child zone. Higher-level (parent) zones sign—or vouch for—the public keys of lower-level (child) zones. The authoritative name servers for these zones may be managed by registrars, ISPs, web hosting companies, or website operators (registrants) themselves.

When an end user wants to access a website, a stub resolver within the user's operating system requests the domain name record from a recursive name server, located at an ISP. After the server requests this record, it also requests the DNSSEC key associated with the zone. This key allows the server to verify that the information it receives is identical to the record on the authoritative name server.

If the recursive name server determines that the address record has been sent by the authoritative name server and has not been altered in transit, it resolves the domain name and the user can access the site. This process is called validation. If the address record has been modified or is not from the stated source, the recursive name server does not allow the user to reach the fraudulent address. DNSSEC can also prove that a domain name does not exist. Back to top

How well does DNSSEC solve the overall problem of Internet security? 
There are many pieces to the overall puzzle of Internet security. DNSSEC may mitigate the security concerns generated by man-in-the-middle attacks and cache poisoning, but it is not an overall security solution. DNSSEC does not solve many of the most common threats to Internet security, like spoofing or phishing. For this reason, other layers of protection, such as SSL certificates and two-factor authentication, are critical to making the Internet secure for everyone. Back to top

How would a user be informed of an attack? 
The Internet community has not yet devised a standardized system for informing users of an attack. One possible solution is to develop "DNSSEC-aware" browsers that notify users that they have been routed to an authenticated destination. Back to top

What is Verisign doing to implement DNSSEC? 
In July 2010, Verisign—working with the Internet Assigned Numbers Authority (IANA) and the U.S. Department of Commerce (DoC)—completed deployment of DNSSEC in the root zone (the starting point of the DNS hierarchy). Verisign also enabled DNSSEC on .edu in July 2010 in collaboration with EDUCAUSE and the DoC on .net in December 2010, and on .com in March 2011. Back to top

What is Verisign's DNSSEC deployment strategy? 
Our DNSSEC deployment strategy started with the smaller zones first in order to evaluate each deployment for lessons learned before moving to the next zone. Because the .com zone is the largest, we signed it last. We wanted to gain as much experience as possible before tackling the domain that handles so much of the world's Internet-based commerce and communications. Back to top

What's required to make DNSSEC a success? 
The successful deployment of DNSSEC has far-reaching benefits for the global Internet community by increasing trust for a multitude of Internet activities, including e-commerce, online banking, email, VoIP, and online software distribution. However, the entire Internet community shares the responsibility for making DNSSEC successful. Success requires the active, coordinated participation of registries, registrars, registrants, hosting companies, software developers, hardware vendors, government, and Internet technologists and coalitions. Back to top

Who has adopted or deployed DNSSEC? 
The Internet root zone, top-level domains (TLDs) such as .gov, .org, .museum, and a number of country code TLDs (ccTLDs), have signed the zones that they manage. Other TLDs such as .edu, .net, and .com implemented DNSSEC in 2010 and 2011. These TLDs have started accepting second-level DNSSEC-signed domain names. Large ISPs such as Comcast activated validation on the recursive name servers that answer user queries, and some registrars have included DNSSEC implementation on their roadmaps. In addition, the Internet Corporation for Assigned Names and Numbers (ICANN) has opened applications for new TLDs, and it is likely that plans for DNSSEC implementation will be a requirement for acceptance of a new TLD request. Back to top

Once DNSSEC is deployed, do I still need Secure Sockets Layer (SSL)? 
Although both DNSSEC and SSL rely on public key cryptography, they each perform very different functions that complement, rather than replace, one another.

In a very simplistic model, DNSSEC deals with "where", and SSL deals with "who" and "how."

  • Where—DNSSEC uses digital signatures to verify DNS data integrity, thereby ensuring that users reach the intended IP address. Its job is done once the user reaches the address. DNSSEC does not ensure the identity of the entity at the address, and it does not encrypt interactions between the user and the site.
  • Who—SSL uses digital certificates to validate the identity of a site. When these certificates are issued by reputable, third-party certificate authorities (CAs), SSL assures users of the identity of the website owner. However, SSL does nothing to ensure that a user reaches the right site, so it is not applicable against attacks that redirect users. In other words, SSL site validation is effective, but only if a user reaches the correct destination first.
  • How—SSL also uses digital certificates to encrypt data exchanges between a user and a site, thereby protecting the confidentiality of financial transactions, communications, e-commerce, and other sensitive interactions.

When woven together, DNSSEC and SSL increase security and trust on the Internet: Users can reliably ascertain where they are going, who they are interacting with, and how confidential their interactions are. Back to top

Is DNSSEC required by law or industry standards? 
In the U.S., the Office of Management and Budget (OMB) memo 08-23 mandated that DNSSEC be deployed in the top level .gov domain by January 2009 and that U.S. federal agencies deploy DNSSEC on external sites by December 2009. The .gov registry was signed in early 2009. The U.S. Defense Information Systems Agency intends to meet OMB DNSSEC requirements in the .mil domain as well. The U.S. Federal Information Security Management Act (FISMA) regulations called for agencies to sign their intranet zones with DNSSEC by the middle of 2010. Currently, there are no requirements for public website operators to secure their domain with DNSSEC. Back to top

What's the history of DNSSEC? 
1993: Discussion of secure DNS begins
1994: First draft of possible standard published
1997: RFC 2065 published (DNSSEC is an IETF standard)
1999: RFC 2535 published (DNSSEC standard is revised)
2005: Total rewrite of standards published
RFC 4033 (Introduction and Requirements)
RFC 4034 (New Resource Records)
RFC 4035 (Protocol Changes)
July 2010: Root zone signed
July 2010: .edu signed
December 2010: .net signed
February 2011: DNSSEC enabled .gov registry is transitioned to Verisign
March 2011: .com signed
March 2011: Verisign Managed DNS service is enhanced with full support for DNSSEC compliance
January 2012: Comcast announces that its customers are using DNSSEC-validating resolvers
March 2012: Number of TLDs signed grows to 90

Back to top

Registrars Answers

How does the implementation of DNSSEC impact registrars? 
Registrars need to sign the domain names for their customers (registrants). Enabling DNSSEC for a registrant involves creating private/public key pairs for the domain name, creating and signing the zone, and managing the key pairs. These processes ensure that DNSSEC-enabled resolvers within the Internet ecosystem can verify the authenticity of responses received from the zone. Registrars also need to modify the interface to their customers to accept DNSSEC key data. In addition, they need to modify their Extensible Provisioning Protocol (EPP) interface to pass DNSSEC key data to the registries with which they interact. Back to top

What is Verisign doing to help .com/.net registrars? 
Verisign is committed to driving down the DNSSEC implementation costs for registrars and helping our registrar affiliates determine their DNSSEC deployment strategies. Verisign provides a number of tools, trainings, services, and support to help registrars with their key management processes and with deployment of DNSSEC in their DNS servers.

This support includes:

  • An Operational Test Environment for .net / .com, which enables registrars to ensure their DNSSEC implementation operates properly.
  • DNSSEC tutorials provided by the Technical Boot Camp.
  • A software developer kit (SDK) and EPP Tool. Access the EPP SDK.
  • The DNSSEC Technical Forum.
  • A DNSSEC Tool Guide, which provides an overview of DNSSEC-related open source tools and automation suites available in the industry.
  • A downloadable command-line based tool that enables registrars to leverage some common open-source tools to simplify DNSSEC and DNS zone management.
  • White papers on how registrar transfers will occur in a DNSSEC- enabled environment (via the DNSSEC Technical Forum).

Back to top

Are consumers able to purchase DNSSEC? How does this work? 
Verisign has invested in DNSSEC to fortify the Internet infrastructure. Registrars and/or service providers may choose to develop services to enable DNSSEC for their customers. The market will determine the model. Back to top

ISPs, Vendors, and Website Operators (Registrants) Answers

What do Internet service providers (ISPs) need to do? 
To help propagate DNSSEC throughout the Internet ecosystem, ISPs need to enable DNSSEC on their recursive name servers and ensure compatibility of their network infrastructure (e.g., firewalls, routers, switches, and load balancers) with the larger DNS responses that DNSSEC generates.

Most commercially available recursive name servers already support DNSSEC and require only an update or parameter change. However, registrars may have to upgrade or replace legacy name servers and existing networking devices. Back to top

What role do hardware vendors play in DNSSEC? 
DNSSEC introduces complex changes into the entire Internet ecosystem. To ensure that Internet users benefit from this added layer of Internet security, manufacturers of Internet infrastructure products such as firewalls, routers, and other devices need to ensure that their equipment is compatible with DNSSEC. The proper operation of these products impacts virtually anyone who connects to the Internet, including enterprises, ISPs, home users, and other customers. Back to top

How can software developers support DNSSEC? 
The software products that run the DNS as well as end-user applications such as browsers and email are integral to the Internet's effective, innovative use. Registrars, ISPs, and end users need solutions that incorporate DNSSEC capabilities into this software. By creating DNSSEC-aware products and developing tools to simplify DNSSEC management, software developers will help drive adoption of DNSSEC globally.

Opportunities to create customer value exist at the DNS server operating system, client operating system, and end-user application levels. For example, registrars, ISPs, and web hosting services need solutions to simplify DNSSEC zone signing and key management. They also need a way to indicate DNSSEC validation to end users, perhaps by displaying a visual cue on web browsers. Back to top

What is the Verisign DNSSEC Interoperability Lab? 
The Verisign DNSSEC Interoperability Lab allowed members of the IT community to test compatibility of their Internet and enterprise infrastructure components with DNSSEC.

Using the test facility, hardware vendors and software developers were able to determine what impact, if any, DNSSEC has on the solutions and services they offer. Back to top

How can website operators (registrants) enable DNSSEC? 
DNSSEC is based on a hierarchy of trust. Entities at higher levels of the hierarchy vouch for entities below them. This means that the entity that provided a website operator's domain name (usually a registrar, ISP, or DNS hosting service) must implement DNSSEC before the website operator can enable it.

To enable DNSSEC for their website, website operators must digitally sign their domain name information. In most cases, they would simply opt-in to this process when they register their domain name. If they have already registered their domain name and choose to implement DNSSEC for their zone, their DNSSEC-enabled registrar would likely have a process for modifying zone records after registration.

Some organizations may need to administer parts of the DNSSEC process internally for security or compliance reasons. In this case, enabling DNSSEC is more complex. Back to top

What role do policymakers play in the success of DNSSEC? 
DNSSEC is most effective when universally implemented—starting at the top of the Internet hierarchy (the root zone and top-level domains) and moving down to individual domain names. Similar to other international campaigns, DNSSEC requires the active, coordinated participation of many organizations and countries.

The size, complexity, and impact of a global DNSSEC effort suggest that policymakers in government and the private sector play a vital role in DNSSEC success. Working at the national and international levels on telecommunications, technical standards, commerce, law enforcement, and national security and defense, policymakers have the visibility, influence, and reach to positively impact the momentum and course of DNSSEC. Back to top

Need more info?

Call +1-703-925-6999
Email or Chat with Customer Support.

Legal Notices//Privacy//Repository//Contact Us//Feedback//Site Map


© 2011-2012 VeriSign, Inc. All rights reserved.
VERISIGN, the VERISIGN logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.