Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:07 PM
Dark Reading
Dark Reading
Products and Releases

Nominum Announces 'DNSSEC Made Easy' Solutions

New features automate DNSSEC deployment without proprietary appliances

REDWOOD CITY, Calif.--(BUSINESS WIRE)-- Nominum, the leader in intelligent DNS solutions, today announced new capabilities that eliminate barriers to DNSSEC deployment. Nominum's latest software release completely integrates functions needed to successfully deploy DNSSEC at any scale without costly proprietary appliances. In addition, automation of DNSSEC processes eliminates operational overhead and errors that could cause Internet sites to disappear. Coupled with unique layered defenses, Nominum now has the strongest possible protections for Internet users relying on both signed and unsigned DNS data. These new features are available in Nominum's industry leading DNS servers (ANS, ANSP, and Vantio), or with SKYE, its highly secure and reliable hosted service offering for service provider and enterprise customers worldwide.

"One of the grand challenges the Internet faces is: How do we make security scale? With over 61 percent of compromises being traced to authentication flaws, we clearly have a big problem. DNSSEC is the big solution that we need to fix authentication," said Dan Kaminsky, the security researcher who identified a key flaw in DNS security in 2008. "And there is progress. I have been proud to see, in the wake of my DNS vulnerability finding, a steady drumbeat towards signatures at the Root and TLD layers. But large organizations need it to be easier and less disruptive to deploy DNSSEC before they can reasonably be expected to secure their own domain names. That is why I am happy to see Nominum adding comprehensive DNSSEC support to their DNS server platforms — and even happier to see DNSSEC almost entirely automated within it. DNSSEC can, should, and must "just work", and Nominum has done an excellent job making that so."

Simplifying DNSSEC Deployment for Brand Owners and Service Providers

Today, brand owners have well understood procedures to publish and update DNS data that convey their brands ([email protected], www.nominum.com). Introducing DNSSEC adds many new complex functions that must be implemented flawlessly or Internet sites may disappear. Nominum has integrated and automated these critical functions into its existing DNS servers. Now, DNSSEC processes that previously required additional equipment such as external "signing" appliances are included in Nominum software running on commodity server hardware. Complex multi-step manual operations that required expert intervention and frequent repetition can now be executed once, with a few keystrokes by existing staff. Eliminating intensive and repetitive manual effort removes the need for specialized expertise, prevents errors that result in service outages and reduces costs.

"Since the Kaminsky vulnerability, a lot of progress has been made in DNSSEC deployment with various top level domains signed or committed to be signed. The next battleground in DNSSEC adoption will be in getting brand (domain) owners to sign their data," said John Pescatore, vice president and distinguished analyst, Gartner Research. "Tight integration of key DNSSEC automation functions into the DNS infrastructure will reduce cost and complexity for domain owners. Robust validation solutions eliminate barriers for service providers. Together these capabilities will promote DNSSEC adoption, ensuring Internet stability."

Nominum's authoritative DNS servers - ANS and ANSP - support the industry's only solution that integrates all DNSSEC functions into the DNS server. The solution simplifies network architectures, improves reliability, and reduces capital and operational expenses. Online or offline deployment models for DNSSEC are supported with all of the automation features.

Signing DNS data is compute-intensive and Nominum's new software maximizes performance by dedicating additional processors in multiprocessor platforms to signing. This approach maintains Nominum's industry leading performance and 100 percent availability, even as DNS data is being signed.

For service providers and enterprises that do not want the complexity of DNS and DNSSEC at all, Nominum offers hosted services through SKYE. These services incorporate Nominum's leading technology in a highly reliable cloud-based model. They provide the best DNS security with layered defenses and DNSSEC, managed by experts with zero operational burden.

DNSSEC Already Available for Internet Users

Nominum's massive installed base of Vantio caching DNS servers already support DNSSEC and have validation turned "ON" by default. Unsigned domains are secured with layered defenses that provide the best protection in the industry against cache poisoning. This is critical, since the migration to DNSSEC will take time and some domains may never be signed.

DNSSEC is Not a Panacea

Although DNSSEC will improve DNS security, it does not address other visible Internet threats. Attackers take advantage of the shortcomings of legacy DNS systems to lure users to malicious, illegal or unintended destinations. DNSSEC does not prevent this from happening. Nominum's Intelligent DNS systems apply policy to DNS answers to protect users against phishing, malware-hosting sites, botnets and spam. This ensures Internet users benefit from a safe, secure, and productive Internet experience.

"Deploying DNSSEC is a major undertaking that is going to take many years with growing pains along the way," said Paul Mockapetris, Chief Scientist at Nominum and inventor of the DNS. "There is a pressing need to make it easier for brand owners to protect their domains and provide the best protections to users for unsigned domains during and after this migration."


DNSSEC features are software only and generally available in Nominum's standard ANS and ANSP authoritative DNS servers, and Vantio caching DNS servers.

About Nominum

Nominum's intelligent network naming and addressing solutions improve IP networks of all sizes globally, from the largest carrier broadband network to enterprises, universities and government agencies. Leveraging DNS, Nominum's advanced systems provide enhanced safety, security and navigation assistance to end users. Nominum's Domain Name System (DNS) products lead the industry in security, performance, and reliability. They are the foundation of the always-on broadband Internet, supporting 170 million households connected by more than one hundred carriers in every region - North America, Europe, Asia-Pacific, and Latin America. Large businesses, educational institutions and governmental networks also depend on Nominum to support mission-critical IP services and applications. For details, visit www.nominum.com. (Click here for a partial list of Nominum's key customers).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...