Preparing DNSSEC for the Post-Quantum Era

By Security

The Domain Name System Security Extensions (DNSSEC) help protect the integrity of DNS data, supporting both online navigation and other uses of domain names as identifiers in applications. In the time since DNSSEC was first introduced in 2005, both the RSA algorithm and elliptic curve cryptography have served as the primary signature algorithms for DNSSEC. But with the potential of large-scale quantum computing on the horizon, there may soon come a time when those algorithms no longer suffice.

(more…)
Close-up of a circuit board with glowing orange and blue pathways.

The 2024-2026 Root Zone KSK Rollover: Initial Observations and Early Trends

By Security

On Jan. 11, 2025, Verisign supported the Internet Corporation for Assigned Names and Numbers (ICANN) in taking a major step to ensure the continued security, stability, and resiliency of the Domain Name System (DNS). While imperceptible to most users, this action – specifically, the introduction of a new Domain Name System Security Extensions (DNSSEC) Key Signing Key (KSK) in the root zone – is the next step of a multi-year-long process to change, or “roll,” the cryptographic key that secures the root of the DNS. In this blog post, we’ll go into more detail about what this means and what observations we can make about the new key, which we refer to as “KSK-2024.”1

(more…)
A digital blue tree on a gradient blue background.

Verisign Provides Open Source Implementation of Merkle Tree Ladder Mode

By Security

The quantum computing era is coming, and it will change everything about how the world connects online. While quantum computing will yield tremendous benefits, it will also create new risks, so it’s essential that we prepare our critical internet infrastructure for what’s to come. That’s why we’re so pleased to share our latest efforts in this area, including technology that we’re making available as an open source implementation to help internet operators worldwide prepare.

(more…)
abstract blue data stream on black background

Verisign Will Help Strengthen Security with DNSSEC Algorithm Update

By Security

As part of Verisign’s ongoing effort to make global internet infrastructure more secure, stable, and resilient, we will soon make an important technology update to how we protect the top-level domains (TLDs) we operate. The vast majority of internet users won’t notice any difference, but the update will support enhanced security for several Verisign-operated TLDs and pave the way for broader adoption and the next era of Domain Name System (DNS) security measures.

(more…)
binary digits on a gradient blue background

Next Steps in Preparing for Post-Quantum DNSSEC

By Security

In 2021, we discussed a potential future shift from established public-key algorithms to so-called “post-quantum” algorithms, which may help protect sensitive information after the advent of quantum computers. We also shared some of our initial research on how to apply these algorithms to the Domain Name System Security Extensions, or DNSSEC. In the time since that blog post, we’ve continued to explore ways to address the potential operational impact of post-quantum algorithms on DNSSEC, while also closely tracking industry research and advances in this area.

(more…)

Ongoing Community Work to Mitigate Domain Name System Security Threats

By Domain Names, Security

For over a decade, the Internet Corporation for Assigned Names and Numbers (ICANN) and its multi-stakeholder community have engaged in an extended dialogue on the topic of DNS abuse, and the need to define, measure and mitigate DNS-related security threats. With increasing global reliance on the internet and DNS for communication, connectivity and commerce, the members of this community have important parts to play in identifying, reporting and mitigating illegal or harmful behavior, within their respective roles and capabilities.

(more…)
An image of multiple botnets for the Verisign blog "Industry Insights: Verisign, ICANN and Industry Partners Collaborate to Combat Botnets"

Industry Insights: Verisign, ICANN and Industry Partners Collaborate to Combat Botnets

By Domain Names

Note: This article originally appeared in Verisign’s Q1 2021 Domain Name Industry Brief.

This article expands on observations of a botnet traffic group at various levels of the Domain Name System (DNS) hierarchy, presented at DNS-OARC 35.

Addressing DNS abuse and maintaining a healthy DNS ecosystem are important components of Verisign’s commitment to being a responsible steward of the internet. We continuously engage with the Internet Corporation for Assigned Names and Numbers (ICANN) and other industry partners to help ensure the secure, stable and resilient operation of the DNS.

(more…)

Information Protection for the Domain Name System: Encryption and Minimization

By Security

This is the final in a multi-part series on cryptography and the Domain Name System (DNS).

In previous posts in this series, I’ve discussed a number of applications of cryptography to the DNS, many of them related to the Domain Name System Security Extensions (DNSSEC).

In this final blog post, I’ll turn attention to another application that may appear at first to be the most natural, though as it turns out, may not always be the most necessary: DNS encryption. (I’ve also written about DNS encryption as well as minimization in a separate post on DNS information protection.)

(more…)

Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys

By Security

This is the fifth in a multi-part series on cryptography and the Domain Name System (DNS).

In my last article, I described efforts underway to standardize new cryptographic algorithms that are designed to be less vulnerable to potential future advances in quantum computing. I also reviewed operational challenges to be considered when adding new algorithms to the DNS Security Extensions (DNSSEC).

In this post, I’ll look at hash-based signatures, a family of post-quantum algorithms that could be a good match for DNSSEC from the perspective of infrastructure stability.

(more…)