NS1, the leader in next generation DNS and application traffic management solutions, announced it collaborated with experts from Salesforce on the first implementation of multi-signer DNSSEC, which enables the cryptographic signing of DNS records across zones with multiple DNS platforms.
Engineers from both NS1 and Salesforce are leading the industry-wide initiative to provide a safer internet for all organizations and users through multi-signer DNSSEC, which is currently under review by the Internet Engineering Task Force (IETF).
DNSSEC, a set of enhancements to standard DNS functionality, prevents DNS spoofing and cache-poisoning attacks by cryptographically signing records in order to prove their authenticity. However, traditional implementations often break modern traffic management features like geo-routing and global server load balancing.
These technical barriers have made it impossible to leverage DNS security extensions when using multiple DNS providers (platforms), which has limited enterprise adoption, leaving organizations unprotected.
“Multi-signer DNSSEC makes important strides in eliminating barriers to DNSSEC adoption by allowing for both redundancy and security without sacrificing the key proprietary features that ensure optimal performance,” explained NS1 Lead Software Engineer Jan Včelák.
“The strategy allows each DNS provider to use separate zone signing keys for the records they serve but all providers are required to agree on the total set of DNSSEC keys being used. This enables the successful validation of record authenticity between multiple DNS providers.”
Včelák and Salesforce Principal Software Engineer Shumon Huque served as co-authors, along with several other industry leaders, on the recent IETF draft that defines the innovative multi-signer DNSSEC strategy.
Following this work, the NS1 and Salesforce teams collaborated to bring a real-world implementation to fruition, working with NS1 Managed DNS and the open-source DNS platform BIND.
“Our REST API enables NS1 DNS to retrieve public keys used for signing and also allows publishing the final DNSKEY record set and its signatures,” Včelák explained. “At the same time, we are building an open-source component that allows you to run NS1 and any common open-source DNS server (for example BIND) in the multi-signer DNSSEC configuration.”
Successful implementation of the new approach is well-timed, as cybercriminals are increasingly targeting DNS because of the critical role that it plays in the delivery of modern applications.
The alarming increase in DNS-focused attacks recently compelled internet regulators and authorities, including ICANN and DHS, to issue directives calling for increased focus on security best practices like DNS redundancy and widespread adoption of DNSSEC.
“This advancement will have a significant impact on DNS security at a time when it is most critical. Enterprises are increasingly being targeted with DNS-focused attacks, but until now, basic security protocols required the sacrifice of certain traffic management features that were critical to performance and user experience,” said Huque.
“This new approach makes it possible for organizations to deploy DNS security without compromising performance or advanced functionality, and the Salesforce team is proud to have collaborated with NS1 on a project that will not only benefit our users but also other enterprises around the world.”