VeriSign invests in DNS improvements

VeriSign to spend $100M to expand the infrastructure tenfold and make DNS more resistant to attacks

VeriSign plans to invest $100 million over three years to expand tenfold the DNS (domain name system) infrastructure it operates for the .com and .net top-level domains.

The DNS is a multitier system that translates the names given to Internet hosts, such as, into numerical addresses. The part VeriSign plans to expand, the top tier, indicates where to find answers for addresses in the .com and .net domains. If it fails, or slows, many Internet services break or falter. This happened on Tuesday, when attackers disrupted the operations of root DNS servers operated by the Internet Corporation for Assigned Names and Numbers (ICANN) and the U.S. Department of Defense.

"We're going to make that kind of attack harder against our services," said Ken Silva, VeriSign's chief security officer, on Thursday.

Although VeriSign's investment will make the DNS more resistant to such attacks, "This isn't just about the attacks, this is about keeping ahead of the pace of network growth," he added.

Services such as Internet telephony or video delivery rely heavily on the DNS infrastructure, and are more susceptible to variations in its performance than applications such as Web browsing. An additional 40 millisecond delay in providing an address might not be noticeable to Web surfers, but it can have a big effect on VOIP (voice over Internet Protcol) operators, Silva said.

Through a project known as Titan, VeriSign will reinforce its DNS infrastructure in two ways.

The first will be to increase server and bandwidth capacity tenfold at around 20 existing sites, taking bandwidth from 20Gbps to over 200Gbps. The changes will allow VeriSign to respond to over 4 trillion DNS queries a day, from 400 billion today.

VeriSign will also expand the number of sites where it operates DNS servers to around 100, Silva said. Those extra sites will bring the DNS closer to regional network operators in countries such as Ireland, one of the trial sites for VeriSign's new infrastructure. There, it has peered with many of the local network operators, so the DNS requests of Irish Internet users don't have to travel halfway across Europe to be resolved: they are dealt with on the spot. VeriSign already operates regional sites in Brazil, China, Egypt, Kenya and South Korea, and plans to open sites in Chile, Germany, India and South Africa, among others.

In addition to improving performance, these changes will make the system more secure by restricting the effects of attacks such as the one seen Tuesday to a smaller geographic area, Silva said. VeriSign expects the number of attacks launched over the Internet to increase in size and scope by 50 percent a year over the next two years.

Even without an increase in the number of attacks, VeriSign faces a significant challenge in keeping all its DNS servers up to date and in step with one another.

Much of the theoretical work on that was begun in another project, Atlas, in 2002, Silva said. "It has gotten to the point where we can now go for scalability," he added.

VeriSign has developed new "zone push" techniques to distribute database changes, and will use a VPN (virtual private network) and dedicated data connections to ensure server updates are not disrupted, Silva said.

Stratton Sclavos, VeriSign's CEO, is due to provide more details on the company's Titan project in a keynote address at the RSA Conference in San Francisco at 2 p.m. Pacific Time on Thursday.


Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform