March 31, 2011, 8:38 PM — VeriSign has added an extra layer of security to the Internet's .com domain, but e-retailers, banks and other Web site operators will need to upgrade their DNS hardware, software or services to take advantage of .com's new cryptographic features.
As of March 31, VeriSign supports a security standard called DNS Security Extensions (DNSSEC) on the 90 million-plus names that have been registered in the .com domain.
[ RELATED NEWS: GoDaddy: We're ready to secure .com names with DNSSEC ]
DNSSEC allows websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. DNSSEC prevents Kaminsky-style attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.
DNSSEC is "a feature of .com and .net," says Pat Kane, senior vice president and general manager of naming services at VeriSign. "It's important so we can maintain the leadership position we have. ...That's why we've made this [cryptographic] signing service available."
Under development for a decade, DNSSEC has just started being deployed across the Internet infrastructure during the last eight months.
BY THE NUMBERS: Half of federal websites fail DNS security test
VeriSign had to make significant investments in its infrastructure to support the extra transactional processing overhead required by DNSSEC.
DNSSEC "is not hard, but it does put a significant strain on your resources," says Bill Semich, president and CEO of WorldNames, a Medfield, Mass., registry that operates the .nu domain. "It increases the size of the zone file by a factor of 10, and that slows down the process of doing transfers and updates."