As the Internet continues to expand, we are committed to creating and driving advancements that keep the Internet fast, safe, and reliable for all users.
Policymakers
The Internet plays a critical role in governments, commerce, communications, and national security programs around the world. Domain Name System Security Extension (DNSSEC) provides an additional layer of security to help maintain trust in this vital resource. It will be most effective when adopted by the entire Internet community. Find out what DNSSEC means for you, issues to consider, and how Verisign is actively participating in the rollout of DNSSEC across the Internet.
DNSSEC adoption is gaining momentum as governments, financial institutions, Internet service providers (ISPs), businesses, and other organizations become increasingly aware of DNS-related threats.
DNSSEC is most effective when universally implemented—starting at the top of the Internet hierarchy (the root zone and top-level domains) and moving down to individual domain names.
The size, complexity, and impact of a global DNSSEC effort suggest that policymakers in government and the private sector play a vital role in DNSSEC success. Working at the national and international levels on telecommunications, technical standards, commerce, law enforcement, and national security and defense, policymakers have the visibility, influence, and reach to positively impact the momentum and course of DNSSEC.
High-Level Benefits
DNSSEC presents opportunities to all members of the Internet ecosystem. The most direct and widespread impact is on end users and the organizations they interact with. By adding another layer of security to the Internet, DNSSEC provides the following types of benefits:
| Ecosystem Member | Benefit |
|---|---|
| Internet community (e.g., website operators involved in e-commerce, government, financial services, or business) | Significantly improved security infrastructure that increases trust in the Internet |
| End users | Reduced risk of unintended redirection to fraudulent websites (caused by man-in-the-middle or cache poisoning attacks) which could lead to identity theft and other security compromises |
| Registrars | Competitive advantage for early adopters; opportunity to provide monetizable, enhanced security offerings to customers |
| Internet service providers (ISPs) | Increased data security for Internet users who leverage an ISP’s name server service for Internet navigation |
| Hardware and software vendors | Opportunity to provide new products and solutions |
DNSSEC implementation is not a trivial task. It requires considerable resources, documentation, testing, and industry coordination. It also introduces complex changes that impact some members of the Internet ecosystem more than others. You will need to consider these complexities when recommending or implementing policies, timelines, and other guidelines.
- Registrars must upgrade their systems to interface with a DNSSEC-enabled registry, provide a mechanism for customers to send their DNSSEC key material to the registrar, and (if the registrar provides DNS hosting services) add complex, resource-intensive DNSSEC key management and signing services.
- ISPs must enable DNSSEC on their recursive name servers, ensure device compatibility, and be mindful that DNSSEC response packets are potentially larger than traditional DNS packets and may increase bandwidth requirements.
- Hardware and software vendors must upgrade existing products and develop new products that are compatible with DNSSEC and support DNSSEC services.
Each of these processes is complex, impacts system operations, requires extensive testing, and can take many months.
Any rollout of DNSSEC should proceed in phases, especially for the reliable operation of globally crucial top-level domains (TLDs) such as .com and .net. Long-term strategy, planning, and collaboration—not only within and across organizations and industries, but also internationally—create a strong foundation for successful implementation.
Verisign is committed to serving as a trusted steward of the Internet. As the registry for .com and .net and a provider of critical Internet infrastructure services, our goal is to enable the Internet’s next innovations while protecting the Internet community from new and emerging cyber threats. Our work on DNSSEC is another step in our ongoing fortification of and investment in critical Internet infrastructure.
Verisign has been involved in DNSSEC development since 2000, and our engineers played a leading role in the development of the DNSSEC Hashed Authenticated Denial of Existence (NSEC3) protocol. As DNSSEC testing, implementation, and adoption move forward, we continue to collaborate with the Internet technical community and participate in industry organizations such as the DNSSEC Coalition.
To assist with understanding the implications of a DNSSEC-enabled environment, Verisign deployed a DNSSEC Interoperability Lab. The Interoperability Lab was a standalone environment with a suite of more than 8,000 test cases and allowed members of the IT community to test compatibility of their Internet and enterprise infrastructure components with DNSSEC.
In July 2010, Verisign—working with the Internet Assigned Numbers Authority (IANA) and the U.S. Department of Commerce (DoC)—completed deployment of DNSSEC in the root zone (the starting point of the DNS hierarchy). Verisign also enabled DNSSEC on .edu in July in collaboration with EDUCAUSE and the DoC, on .net in December 2010 and on .com in March 2011. In addition, a number of top-level domains (TLDs) have been signed by other registries, including .gov, .org, and country code TLD names for Brazil, Bulgaria, Czech Republic, Puerto Rico, and Sweden.
In addition, we are taking multiple steps to help members of the Internet ecosystem take advantage of DNSSEC. These steps include publishing technical resources, providing an Operational Test Environment, leading educational sessions, participating in industry forums, and developing tools to simplify DNSSEC management.