Home / Industry

NS1 and Salesforce Collaborate on Multi-Signer DNSSEC Implementation

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

NS1, the leader in next-generation DNS and application traffic management solutions, today announced it collaborated with experts from Salesforce on the first implementation of multi-signer DNSSEC, which enables the cryptographic signing of DNS records across zones with multiple DNS platforms. Engineers from both NS1 and Salesforce are leading the industry-wide initiative to provide a safer internet for all organizations and users through multi-signer DNSSEC, which is currently under review by the Internet Engineering Task Force (IETF).

DNSSEC, a set of enhancements to standard DNS functionality, prevents DNS spoofing and cache-poisoning attacks by cryptographically signing records in order to prove their authenticity. However, traditional implementations often break modern traffic management features like geo-routing and global server load balancing. These technical barriers have made it impossible to leverage DNS security extensions when using multiple DNS providers (platforms), which has limited enterprise adoption, leaving organizations unprotected.

“Multi-signer DNSSEC makes important strides in eliminating barriers to DNSSEC adoption by allowing for both redundancy and security without sacrificing the key proprietary features that ensure optimal performance,” explained NS1 Lead Software Engineer Jan V?elák. “The strategy allows each DNS provider to use separate zone signing keys for the records they serve, but all providers are required to agree on the total set of DNSSEC keys being used. This enables the successful validation of record authenticity between multiple DNS providers.”

V?elák and Salesforce Principal Software Engineer Shumon Huque served as co-authors, along with several other industry leaders, on the recent IETF draft that defines the innovative multi-signer DNSSEC strategy. Following this work, the NS1 and Salesforce teams collaborated to bring a real-world implementation to fruition, working with NS1 Managed DNS and the open-source DNS platform BIND.

“Our REST API enables NS1 DNS to retrieve public keys used for signing and also allows publishing the final DNSKEY record set and its signatures,” V?elák explained. “At the same time, we are building an open-source component that allows you to run NS1 and any common open-source DNS server (for example BIND) in the multi-signer DNSSEC configuration.”

Successful implementation of the new approach is well-timed, as cybercriminals are increasingly targeting DNS because of the critical role that it plays in the delivery of modern applications. The alarming increase in DNS-focused attacks recently compelled internet regulators and authorities, including ICANN and DHS, to issue directives calling for increased focus on security best practices like DNS redundancy and widespread adoption of DNSSEC.

“This advancement will have a significant impact on DNS security at a time when it is most critical. Enterprises are increasingly being targeted with DNS-focused attacks, but until now, basic security protocols required the sacrifice of certain traffic management features that were critical to performance and user experience,” said Huque. “This new approach makes it possible for organizations to deploy DNS security without compromising performance or advanced functionality, and the Salesforce team is proud to have collaborated with NS1 on a project that will not only benefit our users but also other enterprises around the world.”

NS1’s blog offers more details about the technical aspects of multi-signer DNSSEC implementation models and future areas for innovation. Read Jan V?elák’s post or visit https://ns1.com/dns-security to learn more.

By NS1, Intelligent DNS & Traffic Management

NS1 optimizes the delivery of the world’s most critical internet and enterprise applications. Only NS1’s platform is built on a modern API-first architecture that acts on real-time data and grows more powerful in complex environments, transforming DNS, DHCP, and IP Address Management (IPAM) into an intelligent, efficient, and automated system. NS1’s technology drives dramatic gains in IT efficiency and application performance, reliability, and security for the largest global enterprises, including Salesforce, LinkedIn, Dropbox, Nielsen, Pitney Bowes, Squarespace, Pandora and The Guardian.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign