Home / Blogs

Three Reasons Why It Makes Sense to Deploy DNSSEC Now

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

As many of you may know, today .ORG announced that all of its 8.5 million domains are now able to be fully DNSSEC signed—the largest set of domain names in the world so far that has access to this key security upgrade. We congratulate Public Interest Registry (PIR) on this landmark event, and are pleased that NamesBeyond is the first domain name registrar to support full DNSSEC signing for all of these domains.

A few years ago, Dan Kaminsky widely exposed a nasty hole on the Internet. Long known as cache poisoning, a problem the domain name system community was familiar with, Dan demonstrated a way of modifying DNS records in a way that would be widespread, catastrophic and not curable by the end-user. Working with security vendors, DNS software companies and operating system creators, a temporary workaround was found for this cache poisoning problem. Of course, at the end of this saga, cache poisoning became forever known as the “Kaminsky bug.”

The widespread publicity that the Kaminsky bug got around the world vindicated a decision made in several companies to invest time, effort and money into deploying DNSSEC. The community was split on the value of the DNSSEC effort—many thought the deployment was quixotic, while a few others thought it was appropriate.

Reason 1: DNSSEC is part of the future Internet

With more and more of the world’s economy and transactions depending on the Internet, the Domain Name System (DNS) which underpins the Internet is now an essential and required global resource. Business owners expect that service providers such as registrars, registries, and ISPs invest in strong security measures. They also desire a system that is easy to understand, quickly usable and easily manageable. A more secure namespace is going to be the reality for the future.

For over a decade, engineers have been working on implementing DNSSEC. In this process, these engineers have had to explain why they were implementing this technology. As recently as 2007, it became clear that one of the important technologies in the deployment of DNSSEC, called NSEC, needed to be upgraded. Our customers have no interest and really, not much desire to understand why the upgrade was needed; they only wanted to know that it was implemented.

For the registrar, registry and network provider universe, DNSSEC is clearly an essential component of the future of the Internet. What is now a trickle is likely to soon become a flood.

Reason 2: Security can be a differentiator

Dan Kaminsky recently said, “It is in fact possible to have registrars that have much more attention paid for security and treat that as a competitive advantage.” The fact, however, is that very few registrars in the marketplace actually leverage these principles in their own practice.

As the marketplace has evolved, the need to guide corporate behavior based on the online safety and well-being of business people and individuals. Three core values: safety, quality and stability, are essential for the proper functioning of the DNS marketplace.

These values can be part of the domain name ecosystem. While registrars, registries and ISPs have to necessarily compete in the overall marketplace on values more than the three above, in the past few years, the biggest element of competition has been price. Volume flows to those who offer among the lowest prices online.

There are those who are building mechanisms that enhance security. It is clear that their hope is to realize a higher value for such services as a result.

Reason 3: Companies will move to a more secure model

As the Internet becomes essential to the success or failure of companies, a move to a more secure model is inevitable. After all, this has already happen in the world of e-commerce, with trust in online transactions being secured by SSL. Companies willingly pay hundreds of dollars to provide enhanced security for their customers.

Once companies understand that their own domain names can be upgraded with DNSSEC so that DNS spoofing becomes impossible, then they will adopt this technology. Especially if this technology is implemented in a way that its benefits are easy to understand, it is easy to access the upgrade, and it is possible to downgrade if necessary.

Dan Kaminsky predicts there will soon come a time where registrars are engaged in a “race to the top”, where higher quality and better security becomes the norm. Those who believe in this concept are those who are likely to invest in DNSSEC.

By Uma Murali, President & CEO

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com