Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Kaminsky has likely added some impetus to the movement toward DNSSEC. In 2008, a serious bug found by the researcher spurred the industry to work together to deploy a work-around to enhance DNS security. The vulnerability allowed an attacker to spoof DNS entries so that a person surfing the Internet would believe, for example, that they were going to their bank, but in reality were giving their username and password to data thieves. The industry banded together to deploy patches; however, they were a stopgap measure, not a real solution.

While other methods of securing the domain-name system have been proposed, none have had the attention and testing that DNSSEC has had. Kaminsky believed in the necessity of DNSSEC. In 2009, he became an evangelist, talking to anyone who would listen in an attempt to speed the adoption of DNSSEC.

Kaminsky ” made people realize that there are a lot of flaws in DNS that they didn’t think about before,” says Keith Mitchell, director of engineering for the Internet Systems Consortium, a nonprofit that develops the most popular DNS software, known as the Berkeley Internet Name Daemon, or BIND. “And DNSSEC is pretty much the only game in town to solve these issues.”

With the creation of the key-signing key on December 1, ICANN will establish the foundation of the DNSSEC infrastructure. The maintainers of top-level domains will be able to sign other domains for which they are responsible. The creation of the master key simplifies the management of secure DNS servers and establishes the beginning of a hierarchy of trust.

“This is a critical piece of the puzzle that has been missing for some time now,” Mitchell says. “Up to now, there has been no trust banker at the root, which has been a problem.”

VeriSign is not the first to deploy DNSSEC in a top-level domain. Sweden implemented the security technology, signing the “.se” zone key in 2005. Earlier this year, the Public Interest Registry signed the zone key for .org.

VeriSign plans to take the deployment of DNSSEC slow, starting with small pilot projects, helping registrars and ISPs test their implementations, and rapidly moving to more ambitious implementations, the company says. The key, however, is not to break any applications on the Internet, says Waldron.

“We want to make sure that registrars do what they have to do to make the service available to their customers,” he says. “Almost every component of Internet infrastructure is impacted by the deployment of DNSSEC. So you don’t want to rush this out. Minimizing any incidents is a priority.”

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Computing, Business, Internet, DNS, domain-name system, VeriSign, DNSSEC

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me