VeriSign adds DNSSec to .com domain to boost online security

VeriSign has added DNSSec security to its .com domain system, allowing enterprises to secure themselves against some existing online attacks.

The company has already added DNSSec capabilities to the .net domain and registrars, but this extension will allow those using the most common URL system to benefit from the security upgrade. More than 25 domains are now covered by the technology.

"By reaching this critical milestone in DNSSec deployment, VeriSign and the internet community have made enormous strides in protecting the integrity of DNS data," said Pat Kane, senior vice president and general manager of Naming Services at VeriSign.

"But the threats against the internet ecosystem – whether targeting the DNS or elsewhere – are unrelenting.

DNSSec is designed to allow those with the correct infrastructure support to check digital signatures and authenticate DNS traffic. It was devised by in the industry after researcher Matt Kaminsky found a way to subvert the protocol. At its announcement, the technology was described as the "biggest upgrade to the internet since the world wide web".

"The importance of DNSSec in solving issues of trust on the internet has reached a tipping point with the signing of .com," said Gartner research director Lawrence Orans.

"However, there is still more work to be done and the effective deployment of DNSSec requires collaboration from all parties in the internet ecosystem."

Despite the advantages of DNSSec, recent industry data suggests that widespread adoption is some way off. A survey of more than 1,000 IT security managers found that half were not sure what DNSSec was, and only five per cent have implemented it, with another 16 per cent planning to install the necessary systems in the next year.

Overall there was confusion over what was involved in shifting to DNSSec infrastructure, but a clear understanding that it was needed. More than 70 per cent of those questioned said that DNSSec support would have to be added within five years.

"Like any other big infrastructure shift this is not something you do in a couple of days - it takes a couple of quarters or longer," Rod Rasmussen, chief technical officer at security firm Internet Identity, which sponsored the research, told V3.co.uk.

"We'll be seeing a lot of companies rolling out new services to make shifting to DNSSec easier which should spur adoption. It takes some of the unknowns out."