VeriSign: Major internet security update by 2011

VeriSign has said a significant outstanding internet security vulnerability will be closed by 2011, after delays caused by technical aspects of the implementation.

The problem is that DNS, the Domain Name System that translates internet addresses such as website URLs into numerical values, can be seeded with false values and used to misdirect users. VeriSign told ZDNet on Friday that it will put in place DNSSEC, a protocol which will guarantee the origin and integrity of DNS data, for the .com and .net domains by the first quarter of 2011.

"Both .net and .com are very large domains," said Pat Kane, VeriSign vice president of naming services.

Kane added that ".net alone has more than 12 million domain names. Our first priority is to safely and securely implement DNSSEC, as it impacts the Domain Name System, one of the core building blocks of the internet".

VeriSign is currently working with Educause, an association that promotes higher education IT use, and the Department of Commerce (DoC), to deploy DNSSEC within the .edu top level domain (TLD). VeriSign said on Friday that it was progressively increasing the size of TLDs with DNSSEC deployed, to learn from that deployment.

VeriSign has been working with Icann, the internet naming co-ordinator, to bring security to DNS since Icann's inception in 1998. Kane said that the stumbling blocks for signing the DNSSEC root had been "mainly technical".

"Because of the large size of .com and .net, it would not have been practical to deploy DNSSEC with earlier versions of the DNSSEC protocol: signing would have increased the size of these DNS zones dramatically, making them unwieldy," said Kane. "VeriSign utilises a DNSSEC extension known as NSEC3, which is documented in RFC 5155 with a VeriSign Labs engineer as a co-author."

Kane said that the DNS vulnerability publicised by researcher Dan Kaminsky in August 2008 had speeded recognition that .com and .net needed to be signed.

"The vulnerability publicised by Kaminsky had been known earlier; Kaminsky showed how easy it was to exploit," said Kane. "The ease with which DNS 'cache poisoning' attacks could be made was a significant factor in raising awareness for the need for DNS security. When fully and properly implemented, DNSSEC stops cache poisoning and closes a significant attack vector."

Cache poisoning in when an attacker corrupts the cache data in a DNS server, replacing a valid internet address with a rogue address.

Kane said that VeriSign will create and manage the zone-signing key (ZSK) for the root zone, and sign the root zone, for .net and .com. Icann will create, manage and publish the root zone key-signing key (KSK).