With TLD registrars and registries racing to secure DNS, the inherent complexity of the process has come to light. VeriSign has announced a new service that it hopes will make DNSSEC adoption easier by simplifying setup and making the ongoing maintenance requirements easier on network administrators.
In the summer of 2008, Dan Kaminsky demonstrated the inherent vulnerability in unsecured DNS. Since then, Top Level Domain (TLD) registries and registrars have been racing to secure their infrastructure with DNSSEC (DNS Security Extensions) which provide a degree of cryptographic authenticity to DNS information.
DNSSEC setup on a domain is no easy task, which where the new VeriSign DNSSEC Signing Service comes into play. The new VeriSign service will providing the initial signing of a second-level domain name as well as the management of cryptographic keys. With the DNSSEC Signing Service, VeriSign is aiming to make it easier for registrars to enable DNSSEC.
"DNSSEC introduces new parameters to DNS that were not previously part of the provisioning and management process," Pat Kane, Assistant General Manager of Naming Services at VeriSign, told InternetNews.com. "DNSSEC introduces the concept of cryptographically signing domain names and the concept of expiring signatures."
Kane added that DNSSEC also adds a signing step to the process of updating a DNS zone. The signing process involves constant, ongoing maintenance including periodic resigning to refresh signatures that must be performed or validation failures will result.
"In addition, DNSSEC also introduces key management, which is completely new to DNS," Kane said. "The keys must be kept safe, since the security of DNSSEC relies on the security of the cryptographic keys. The keys need to be handled properly and this is a skill set not everyone has."