Home / Industry

Internet Infrastructure Leaders Join Movement of Companies Verifying Their Technology for DNSSEC

A trio of Internet infrastructure leaders joined a growing movement of companies testing their technologies with Verisign following a landmark achievement in Internet security. As Verisign has now deployed Domain Name System Security Extensions (DNSSEC) in .net—the largest-ever domain secured by the technology—Arbor Networks, Infoblox and RioRey, have completed testing of their technology solutions in the Verisign DNSSEC Interoperability Lab.

DNSSEC helps protect the Domain Name System (DNS) against so-called “cache poisoning” or “man-in-the-middle” attacks by allowing DNS data to be digitally signed and authenticated. These digital signatures authenticate the origin of the data and verify its integrity as it moves throughout the Internet. At the self-contained Verisign DNSSEC Interoperability Lab facility in Dulles, a wide-range of Internet infrastructure solutions undergo a battery of tests to review how equipment will interoperate in a DNSSEC-enabled environment. Verisign conducts the tests free of charge to encourage use of the service and pave the way for broader DNSSEC adoption.

Arbor Networks, Infoblox and RioRey join a growing number of organizations—including A10 Networks, BlueCat Networks, Brocade, Cisco Systems and Juniper Networks—that have taken advantage of the opportunity to verify their solutions at Verisign’s DNSSEC Interoperability Lab. By examining the interoperability of their products with DNSSEC, these companies are participating in the shared effort needed to ensure a measured and deliberate implementation of the security extensions worldwide.

“Arbor Networks is very focused on the problem of infrastructure security and DNS is obviously among the most critical elements of it,” said Rob Malan, Arbor Networks Chief Technology Officer. “The Verisign DNSSEC Interoperability Lab allowed us to test our products to review compatibility with DNSSEC. Arbor’s customers make up the vast majority of the world’s ISPs and many of the largest hosting and data centers operators. This is a critical issue for our customers.”

“Systemic vulnerabilities to the DNS, such as cache poisoning, represent a significant threat to e-commerce, online banking, email communications, customer service and even government secrets,” said Cricket Liu, Vice President of Architecture and Technology at Infoblox, the leader in network infrastructure automation and control, including physical and virtual DNS, DHCP and IP Address Management platforms. “That’s why a successful implementation of DNSSEC is vital, as is the need for the Internet community at large to verify that their solutions are compatible with DNSSEC. On that front, the Verisign DNSSEC Interoperability Lab has proven indispensable.”

“As a company whose key focus is to detect and mitigate Distributed Denial of Service (DDoS) attacks, RioRey understands that DNS is essential to the Internet’s framework of trust,” said Nitin Mehrotra, CTO at RioRey, Inc., a provider of dedicated platforms for DDoS defense. “We knew it was critical to ensure that our solutions were interoperable with DNSSEC by taking advantage of Verisign’s robust testing environment, and we would strongly urge all other Internet stakeholders to do likewise.”

Cache poisoning attacks can occur when hackers corrupt DNS data stored on recursive servers to redirect queries to malicious sites. With DNSSEC, a hacker’s ability to poison the cache is eliminated for the zones that are signed and the resolvers that are validating signed records. The resulting digital signatures on that DNS data are validated by creating a “chain of trust” that starts with the public key, published in the root zone.

“DNSSEC will only be effective if it is implemented from end to end in an effort that is shared across the Internet,” said Pat Kane, Senior Vice President and General Manager of Naming Services at Verisign. “Now following the .net signing, Arbor Networks, Infoblox and RioRey are joining a critical group of forward-thinking Internet companies that are showing the leadership and initiative necessary to make this a truly successful community endeavor. We look forward to helping more Internet stakeholders test their solutions at the DNSSEC Interoperability Lab.”

DNSSEC testing is growing ever more crucial as the global roll-out of the security extensions continues. DNSSEC was deployed in the DNS root zone in July and in the .net domain in December. Meanwhile, plans call for Verisign to deploy the .com domain by the end of the first quarter 2011.

In addition to operating the DNSSEC Interoperability Lab, Verisign has rolled out a program to ease DNSSEC deployment and adoption for a wide range of Internet stakeholders. Over the past several months, Verisign has published technical resources, led educational sessions, participated in industry forums and developed tools designed to simplify DNSSEC management.

As part of its effort to ease DNSSEC deployment, Verisign is introducing a new iPhone application called the DNSSEC Analyzer, a mobile tool that can assist in diagnosing problems with DNSSEC-signed names and zones. The application will allow a quick diagnosis of any domain name, allowing knowledgeable users to view debugging information and receive useful tips on how to remediate any problems that are discovered.

The company has also actively provided support to its network of registrars for DNSSEC implementation, including a software development kit (SDK) and a DNSSEC signing and key management service following the signing of.net.

More information on Verisign’s DNSSEC plans is available here:

By Verisign, A Global Provider of Critical Internet Infrastructure and Domain Name Registry Services

Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC