Duane Wessels, a fellow at Verisign, focuses on data analysis and Domain Name System Security Extension projects. He brings over 15 years of experience working in the data analysis and research fields.
Prior to joining Verisign in 2010, Duane was the director of the Domain Name System Operations Analysis Research Center, where he developed tools and services, organized workshops, and recruited new members.
Duane is an active participant in various Internet Corporation for Assigned Names and Numbers multi-stakeholder community groups, including the Root Server System Advisory Committee, the Root Zone Evolution Review Committee and the Root Server System Governance Working Group. Duane is also an active member of the Internet Engineering Task Force DNS Operations working group, the North American Network Operators’ Group, and DNS-OARC. He has also served on the board of directors for both NANOG and DNS-OARC, and has co-authored several internet Request for Comments.
Duane holds a Master of Science in telecommunications from the University of Colorado and a Bachelor of Science in physics from Washington State University.
One of the most interesting and important changes to the internet’s domain name system (DNS) has been the introduction of the DNS Security Extensions (DNSSEC). These protocol extensions are designed to provide origin authentication for DNS data. In other words, when DNS data is digitally signed using DNSSEC, authenticity can be validated and any modifications detected.
A major milestone was achieved in mid-2010 when Verisign and the Internet Corporation for Assigned Names and Numbers (ICANN), in cooperation with the U.S. Department of Commerce, successfully deployed DNSSEC for the root zone. Following that point in time, it became possible for DNS resolvers and applications to validate signed DNS records using a single root zone trust anchor.
DNSSEC works by forming a chain-of-trust between the root (i.e., the aforementioned trust anchor) and a leaf node. If every node between the root and the leaf is properly signed, the leaf data is validated. However, as is generally the case with digital (and even physical) security, the chain is only as strong as its weakest link.
To strengthen the chain at the top of the DNS, Verisign is working to increase the strength of the root zone’s Zone Signing Key (ZSK), which is currently 1024-bit RSA, and will sign the root zone with 2048-bit RSA keys beginning Oct. 1, 2016.
On Nov. 30 and Dec. 1, 2015, some of the Internet’s Domain Name System (DNS) root name servers received large amounts of anomalous traffic. Last week the root server operators published a report on the incident. In the interest of further transparency, I’d like to take this opportunity to share Verisign’s perspective, including how we identify, handle and react, as necessary, to events such as this.
