With more than 47 million domain names under management, GoDaddy has a huge DNS infrastructure that it has upgraded to support the emerging Internet security standard known as DNSSEC for DNS Security Extensions.
GoDaddy's year-long engineering effort to prepare for DNSSEC is significant given that the Internet's most popular domain, .com, will support DNSSEC by the end of March, according to .com operator Verisign.
DNSSEC is an emerging Internet standard that allows websites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption. DNSSEC prevents Kaminsky-style attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.
The Internet's root servers at the top of the DNS hierarchy added DNSSEC support last July. More than 25 domains, including .gov, .org, .edu and .net, have enabled DNSSEC since then.
The next major milestone for DNSSEC is for the security standard to be enabled on the .com domain, which has more than 80 million registered names out of a total of 205 million registered names across all top-level domains (TLD), according to statistics from February 2011.
The world's leading domain name registrar, GoDaddy supports DNSSEC for six top-level domains: .org, .net, .us, .biz, .eu and .se. GoDaddy will add DNSSEC support for .com next week, when Verisign offers this add-on security service.
"Because GoDaddy handles a third of all DNS requests in the world, we have to be careful with anything we do," says Rich Merdinger, senior director of domain registration services with GoDaddy. "We put in a lot of due diligence and a long implementation time" for DNSSEC.
GoDaddy offers DNSSEC as part of its new Premium DNS offering, which also includes DNS hosting and secondary DNS. Premium DNS costs $2.99 per month for five domain names.
GoDaddy engineers wrote their own software to support DNSSEC in the company's homegrown web-based Domain Manager and Systems Manager platforms. "We offer a one-click solution where we handle key management and key rollover behind the scenes for the user," Merdinger says.
GoDaddy ran a seven-month trial of DNSSEC for .org names from June 2010 until February 2011, when the company announced its commercial Premium DNS service.
"We started small for the power-user types that were hosting their own DNS," Merdinger says. "It was a very small group, and it was literally early adopters who had the wherewithal to generate their own keys with their domains. We had less than 300 people participate in the early adopter phase. They were IT professionals who were attempting to learn about DNSSEC in the practical, real world."
Today, GoDaddy has around 400 customers of its Premium DNS service that are actually signing their domains using DNSSEC. "It's been a pretty gradual adoption; it hasn't come on like gangbusters," Merdinger says.
However, GoDaddy is anticipating this figure to rise when the .com zone is signed.
"There is definitely some pent-up demand for DNSSEC in .com," Merdinger says. "We have almost as many people preconfigured for DNSSEC for .com as we have actively configured for .net at the moment."
One technical hurdle that GoDaddy faced in deploying DNSSEC is that top level domains have implemented DNSSEC differently, with various signing algorithms and key lengths.
"You really have to deploy DNSSEC on a per-TLD basis, making sure you fully understand the nuances of each implementation," Merdinger explains. "While DNSSEC is a standard, there is enough wiggle room in the standard that you have to make sure you accommodate for each TLD."
Merdinger says deploying DNSSEC is tricky enough that more website operators are likely to outsource their DNS operations and DNSSEC support to vendors like GoDaddy, DynDNS or UltraDNS.
"If you're deploying DNSSEC inside of your own DNS infrastructure, you have to understand the impact as far as record sizes and volumes of data are concerned. There's a scalability issue, and each of the individual TLDs is done slightly differently," Merdinger said. "Since the implementation of DNSSEC is so critical to Internet security... it might be time for IT managers to start looking to outsource DNSSEC management."
Expecting the flood
Having done all the legwork to prepare for DNSSEC, GoDaddy is hoping to reap the rewards of being the first major domain name registrar to offer this add-on security service.
"We are anticipating that we will get a flood of requests for DNSSEC," Merdinger says. "GoDaddy is well positioned to help the adoption of DNSSEC. We support the sale of domains, the sale of SSL, we offer hosting and a full complement of the services that it takes to bring a web presence online securely."
GoDaddy isn't the only DNS vendor to see slow adoption of DNSSEC until now.
Akamai, a content delivery network, offers a beta version of DNSSEC on its authoritative DNS service. "We have seen very, very poor adoption to date," says Andy Champagne, vice president of engineering at Akamai. "We've had it for a year and a half. We thought this technology would catch on with the government mandates for DNSSEC on .gov, but that deadline came and went... In the last year, I've only had two customers ask about it.''
Similarly, the Public Interest Registry has seen a minority of .org websites sign their domains using DNSSEC. Among the handful of early adopters are Comcast, which uses DNSSEC to sign its comcast.org, fandangoticket.org, xfiniti.org and tvplanner.org websites.
"We have had 34 registrars pass operational tests and evaluation to provide DNSSEC," says PIR CEO Brian Cute. "We think this is an important development. This is a chain of trust, including registries, registrars and end users. We are encouraged by the registrar take-up of DNSSEC... having .com signed should help with accelerating this trend."