Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Technologists advocating better security for the domain name system (DNS) have frequently predicted that the technology would be deployed in the next two to five years. That these predictions have gone on for a decade and a half has become an inside joke in the industry.

The advocates may finally have their day. On Monday, the company that manages the .com and .net registries, VeriSign, will announce its strategy to incrementally test and deploy DNS Security (DNSSEC) by the first quarter of 2011 for the two top-level domains. The Internet Corporation for Assigned Names and Numbers (ICANN)–the organization that coordinates among owners of Internet infrastructure–has already announced that it will kick-start the process by creating the top-level key for verifying domain names on December 1.

The two fundamental steps give DNSSEC a much-needed boost, says Joe Waldron, director of product management for VeriSign.

“I think we are at an inflection point,” he says. “Between now and 12 to 18 months from now, you will see a significant amount of adoption across registries, registrars, Internet service providers, and domain-name holders.”

The domain-name system is a foundation on which the Internet is built. DNS servers translate easy-to-understand domain names, such as, into the numerical Internet addresses used by computers and networking devices to communicate with one another. DNSSEC adds data to the domain records, inserting cryptographic information that can be used to verify that an address is a valid destination for a domain.

Yet, because DNSSEC requires changes to the servers and software that manages fundamental components of the Internet, companies and organizations have resisted adopting it.

“There was a lot of concern, for example, in the late 1990s about cache-poisoning attacks,” said Dan Kaminsky, director of penetration testing for IOActive, a Seattle-based security services firm. “A lot of people said we had to do something about it, but we didn’t do anything.”

In addition, the management of the cryptographic keys needed to validate entries in the domain-name system is complicated. Every domain’s key has to be validated, or signed, by another key higher up the chain of trust. Dot-com domains will be validated by the key VeriSign is deploying. This will in turn be validated by the DNS key-signing key. ICANN, with the U.S. Department of Commerce and VeriSign, will manage the master key.

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Computing, Business, Internet, DNS, domain-name system, VeriSign, DNSSEC

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me