创新

域名系统安全扩展 (DNSSEC)

从端到端验证互联网

从最初开发 DNSSEC

威瑞信从 2000 年开始涉足 DNSSEC 的开发,我们工程师在 DNSSEC 散列认证否认存在 (NSEC3) 协议的制定中起到了带头作用。随着 DNSSEC 测试、实施和采用的推进,我们将继续与互联网技术社区合作,加入行业组织。

域名系统安全扩展 (DNSSEC) 可以帮助保护用户不被重定向到诈骗网站和非预期地址,从而提高用户对互联网的信任。

2010 年 7 月,威瑞信与互联网编号分配机构 (IANA) 和美国商务部 (DoC) 合作,在根区域(DNS 层次结构的起点)完成了 DNSSEC 的部署。威瑞信还在 7 月与 EUCAUSE 合作在 .edu 上启用了 DNSSEC,并在 2010 年 12 月与 DoC 合作在 .net 上启用了 DNSSEC,然后在 2011 年 3 月在 .com 上启用了 DNSSEC。DNSSEC 的采用从 2011 年开始有所进展,运营顶级域 (TLD) 的注册机构中有 1/3 多一点目前已经签署。

此外,我们将采取多项措施,帮助互联网生态系统的成员充分利用 DNSSEC。这些措施包括:发行技术资料、提供操作测试环境、开设培训课程、参加行业论坛以及开发 DNSSEC 管理简化工具。

威瑞信扮演着互联网安全卫士的角色。作为 .com 和 .net 注册机构,同时也是关键互联网基础设施服务的提供商,我们的任务是保护互联网社区免受不断出现的新网络威胁,同时推动互联网的创新工作。我们的 DNSSEC 工作是现行关键互联网基础设施巩固和投资努力的另一举措。


DNSSEC Timeline

1990 A major flaw in DNS is discovered and dialog about securing DNS begins.
1995 DNSSEC becomes a formal topic within the IETF.
1999 The DNSSEC protocol (RFC2535) is finished and BIND9 is developed as the first DNSSEC capable implementation.
2001 Key handling creates operational problems that make DNSSEC deployment impossible for large networks. The IETF decides to rewrite the protocol.
2005 DNSSEC standards are rewritten in several RFCs 4033, 4034, 4035. In October, Sweden (.se) enables DNSSEC in their zone.
2007 In July ccTLD .pr (Puerto Rico) enables DNSSEC, followed by .br (Brazil) in September and .bg (Bulgaria) in October.
2008 The NSEC3 standard (RFC 5155) is published. In September ccTLD .cz (Czech Republic) enables DNSSEC.
2009 Verisign and EDUCAUSE host a DNSSEC test bed for select .edu registrants. Root zone signed for internal use by Verisign and ICANN. ICANN and Verisign exercise signing the ZSK with the KSK.
2010 The first root server begins serving the signed root, utilizing the DURZ (deliberately unvalidatable root zone) methodology. All root servers serving the signed root, using the DURZ methodology. ICANN holds first KSK ceremony event in Culpeper, VA, USA. ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available. Verisign and EDUCAUSE enable DNSSEC for the .edu domain. Verisign enables DNSSEC for the .net domain.
2011 In February, DNSSEC enabled .gov registry is transitioned to Verisign. In March, .com is signed and Verisign Managed DNS service is enhanced with full support for DNSSEC compliance. 59 TLDs are signed with trust anchors in the root zone.
2012 In January, Comcast announced that its customers are using DNSSEC-validating resolvers. As of March, the number of TLDs signed grew to 90.