March 03, 2010, 9:41 PM — VeriSign is reporting no serious problems with its ongoing deployment of DNS Security Extensions (DNSSEC) on the Internet's root servers and on the top-level domain servers that it operates, including the systems that power the popular .com and .net domains.
Matt Larson, vice president of DNS Research at VeriSign, says the registry operator is on schedule with its rollout of DNSSEC, an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS heirarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.
Once it is widely deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
"The planned date for the root servers supporting DNSSEC is July 1, and we're still proceeding with that date," Larson says. " We've started roll out of the signed root on two of the 13 root servers, and those deployments have gone well. We've not had any indication from our measurement or analysis that there's a problem with that date…Everything is proceeding nicely with the root servers, and the same is true with .com, .net and .edu."
Larson says VeriSign will support DNSSEC in the .edu domain used by U.S. colleges and universities in the second quarter, and in the .net domain used by carriers and service providers in the fourth quarter.
The .com domain -- the Internet's most popular top-level domain with more than 80 million registered names -- will support DNSSEC in the first quarter of 2011, VeriSign says.
The only difficulty that VeriSign has run into with its DNSSEC deployments is that some legacy hardware and software such as firewalls and load balancers can't handle the larger packets that are sent with DNSSEC.