By supporting DNSSEC in .com this month, VeriSign kept to an aggressive rollout schedule for DNSSEC that it announced two years ago. VeriSign enabled DNSSEC in the .edu domain in August 2010 and in the .net domain in December 2010.
"We took a pragmatic and deliberate approach ... first with .edu and then .net and now .com," Kane says. "It's been a great effort. ...We're delivering on time with something so big."
In order for DNSSEC to work properly, it has to be supported at every step of the DNS look-up process: from the end user's browser, to the ISP that carries DNS traffic, to the website operator, to the domain name registrar as well as the top-level domain registry and the root server operators.
Many of these areas are lagging. Firefox is the only Web browser that offers a DNSSEC plug-in. Comcast is the only ISP in the United States that has announced a DNSSEC validation service. Domain name registrars such as GoDaddy are just starting to support DNSSEC for their customers.
On the plus side, website operators have a range of appliances from Secure64, Infoblox, BlueCat Networks and others that support the key management and other security functions required by DNSSEC. And companies like VeriSign, Nominum and UltraDNS are offering managed services that allow website operators to outsource their entire DNS infrastructure, including DNSSEC.
"We're offering DNSSEC services that are fully managed," says Sean Leach, vice president of technology for VeriSign's Network Intelligence and Availability business. "People don't have to do anything with their keys, and it works with our traffic management platform. It's not very easy to combine traffic management services with global server load balancing and DNSSEC on the same records and zones. We believe what we are offering is pretty revolutionary."
DNS providers are hoping that having .com's support will finally crack open the DNSSEC market.