VeriSign Opens DNS Security Extensions (DNSSEC) Interoperability Lab

March 1, 2010

VeriSign invited Internet community leaders to join Cisco Systems, Juniper Networks and others that are working to improve the security of Internet communications with interoperability solutions at a new DNS Security Extensions (DNSSEC) Interoperability Lab established by VeriSign.

At the RSA Conference 2010 in San Francisco, VeriSign executives will meet with hardware and software vendors, ISPs and government agencies to explain how they can help facilitate the successful implementation of DNSSEC. Also at RSA, VeriSign Executive Chairman James Bidzos will focus on the crucial role that trust plays in securing the Internet in a keynote address at 3:00 pm Thursday, March 4.

DNSSEC helps protect the Domain Name System from "man in the middle" and cache poisoning attacks by applying digital signatures to DNS data. By signing DNS data, DNSSEC authenticates the origin of the data and verifies its integrity as it moves across the Internet. Working methodically and carefully, and in collaboration with the U.S. Department of Commerce and ICANN, VeriSign anticipates that by the first quarter of 2011, DNSSEC implementation will be complete on the .edu, .net and .com Top Level Domains (TLDs).

"DNSSEC offers security protection to Internet users of all kinds, but it will only be effective if it is implemented from end to end," said Ken Silva, senior vice president and chief technology officer at VeriSign. "The entire community must participate if we're to remove the technical roadblocks that still exist with firewalls, load balancers and other infrastructure equipment. That's why it's so vital for solution providers, ISPs and government agencies to join Cisco, Juniper Networks and the other industry leaders who have wisely taken advantage of the testing environment provided by the VeriSign DNSSEC Interoperability Lab. We're proud to work with innovators like these who recognize that making DNSSEC a success is a responsibility that must be shared across the Internet."

The DNSSEC Interoperability Lab is staffed by VeriSign personnel who can help solution and service providers determine if DNS packets containing DNSSEC information, which are typically larger than standard DNS packets, will cause problems for their Internet and enterprise infrastructure components. For instance, some solutions may make assumptions about DNS packet size and structure that are no longer true with DNSSEC.

"Ensuring the integrity of data being shared across networks is a worthy pursuit, and as the worldwide leader in networking for the past 25 years, Cisco recognizes the benefit of protecting the DNS infrastructure," said Russell Smoak, Director of Security Research and Operations at Cisco. "We are pleased to see VeriSign taking the proactive step of establishing a test facility that allows providers to understand what impact, if any, DNSSEC will have on their solutions and services. The Internet community must continue to work collaboratively to help ensure a successful deployment of DNSSEC."

"We see the demand for DNSSEC adoptions increasing, and we're pleased that VeriSign has taken steps to ensure that responsible solution providers can evaluate system interoperability," said Nicko van Someren, Chief Security Architect at Juniper Networks. "As a company devoted to transforming the experience and economics of networking, we recognize the importance of conducting DNSSEC testing as soon as possible. The VeriSign DNSSEC Interoperability Lab makes this easy."

Vendors can bring their solutions into the VeriSign lab, which is located in VeriSign's Dulles, Va., data center, to ensure that DNSSEC requests and responses flow through intact. The tests evaluate systems using a battery of DNS queries and responses both with and without DNSSEC. Testing is conducted in a self-contained environment at the Dulles facility. VeriSign will not conduct performance or stress testing, and will not "certify" solutions for DNSSEC interoperability.

VeriSign is working with industry leaders and organizations to sign .edu domains by the second quarter of 2010, .net by fourth quarter 2010, and .com by first quarter 2011.