VeriSign moves closer to IPv6
Upgrades to Internet's DNS root servers include enabling IPv6
- By William Jackson
- Feb 12, 2008
VeriSign Inc., which operates two of the Internet's 13 Domain Name System root servers, has upgraded the servers to enable them to handle native IPv6 traffic.
The enhancements, which also include plans for a DNS Security Extension (DNSSEC) testbed later this year and an updated root zone provisioning system, were announced Feb. 11 at meetings of the Internet Corporation for Assigned Names and Numbers in India.
VeriSign Chief Technology Officer Ken Silva called the enhancements 'the next logical step in improving the availability efficiency and reliability of the core Internet infrastructure. With the continuing explosion of consumer-driven services, such as Internet-enabled wireless devices and the advanced applications they use, the need to expand, secure and clear the delivery mechanism for those services is paramount.'
VeriSign operates the 'A' and 'J' root servers, two of 13 top-level DNS servers that enable Internet traffic worldwide. DNS translates domain names such as e-mail addresses or URLs in a Web browser into corresponding numerical IP addresses. Although most Internet traffic does not pass through the root servers, they are the authoritative source of information for DNS components throughout the Internet that redirect requests to the appropriate top-level domain name servers.
As Internet service has become more widespread, mobile and functionally complex, much of the world is beginning a shift toward Internet Protocol version 6, the next generation of Internet Protocols. Version 6 is a major rewrite of the protocols that govern how devices communicate over IP networks that promises improved security and greater ease of use for rapidly developing applications, as well as an expanded address space. IPv6 expands address length from 32 to 128 bits, providing nearly unlimited IP addresses to handle the proliferation of Internet-connected devices. In the United States, the Office of Management and Budget has mandated that executive branch agencies enable their core networks to handle IPv6 by June 30.
Enabling IPv6 on the 'A' and 'J' servers will increase the usability of the new protocols by giving the traffic grater access to DNS, which had been restricted to IPv4. VeriSign has connectivity with a number of large IPv6 networks, and with IPv6-enabled to process native packets, no translation is required in the root servers operated by the company.
'Previously, the root servers were only available in IPv4 network space,' a spokesperson for VeriSign said. 'DNS queries to the root servers that originated from an IPv6 network required an extra step in the process to reach the root servers. Enabling the root servers to operate within the IPv6 network eliminates this additional translation step.'
The vast majority of Internet traffic continues to be IPv4, but support of IPv6 is necessary to enable continued global adoption of the new protocols. The U.S. government's adoption of IPv6 has been one driver in the move to enable the new protocols, but demand for the functionality is coming from both the private and public sectors from many parts of the globe, VeriSign said.
Other enhancements to the root servers include deployment of a new automated root zone provisioning system for operational testing. This effort is being coordinated with the Internet Assigned Names Authority, the entity that oversees global IP address allocation, DNS root zone management, and other Internet protocol assignments. After the completion of IANA testing, this system will provide an easier interface for top level domain registry operators to submit changes to update to the root zone. This new system is expected to increase the overall efficiency, accuracy and speed of changes by automating current time-consuming and cumbersome manual processes.
VeriSign also plans to launch a DNSSEC testbed this spring. DNSSEC is a set of extensions developed by the Internet Engineering Task Force to authenticate the origin of DNS data and verify its integrity while moving across the Internet. DNSSEC is intended to help combat compromised data in name servers that can be used to launch attacks against users, enterprises and the Internet core itself. As the publisher of the DNS root zone, VeriSign expects that DNSSEC can strengthen the chain of trust for top level domain registry operators who use the extensions in their domains and registrars who provide DNSSEC services for their customers.
William Jackson is a Maryland-based freelance writer.