While DNSSEC protects caching so DNS caches can't be poisoned by attackers trying to reroute victims, ActiveTrust DNS service verifies the DNS authority's entries -- something DNSSEC assumes is legitimate even if it's really not, says Rod Rasmussen, CTO for Internet Identity. "We look at this as what's needed to make DNSSEC effective. DNSSEC is great at preventing cache poisoning...it fixes [this] when it's fully deployed, which is still a ways off," Rasmussen says.
But if an attacker alters the DNS entries, then DNSSEC can't detect that. That's where ActiveTrust comes in, he says. "It makes sure the answer you get was from the intended DNS authority," Rasmussen says. "You need reputation and trust as well. Authentication and reputation are the combination of getting close to a trustworthy DNS."
Internet Identity's new DNS service is aimed at the "extended enterprise," Rasmussen says.
The service checks DNS servers 24/7 for its clients to ensure they haven't been tampered with, compromised, or misconfigured. It supports transactions, email, and data transmission, probes the full chain of authoritative DNS servers, and checks caching nameservers at major ISPs worldwide -- all the links in the DNS chain that touch its clients' Internet operations, including those of its business partners.
"[We execute] lightweight queries so it doesn't cause a lot of traffic," Rasmussen says. The service will be priced in the low- to mid-six figures for a large installation of hundreds to thousands of business partners, he says.
"You could have the safest DNS infrastructure of your own, but there are some exposure points you can't control" with your business partners and in the Internet infrastructure, Rasmussen says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.