Salesforce and NS1 have entered into a partnership. The collaboration should improve DNS security for all organizations and users, and bring it to multiple platforms. Both NS1 and Salesforce are leading the initiative to provide a safer Internet for all organizations and users via so-called ‘multi-signer DNSSEC’. The Internet Engineering Task Force (IETF) is currently assessing the new technology.

DNSSEC consists of a number of improvements to standard DNS. For example, it prevents DNS spoofing and cache poisoning by signing DNS records cryptographically. Traditional ways to do this often prevent traffic management features such as geo-routing and server load balancing. These technical barriers have so far made it difficult to implement DNS security enhancements when using multiple DNS providers. As a result, companies are limited in expanding their DNS security.

Secure DNS without obstacles

“Multi-signer DNSSEC takes important steps to remove barriers to DNSSEC acceptance by enabling both redundancy and security without sacrificing key proprietary features that ensure optimal performance,” explains Jan V?elák, Lead Software Engineer at NS1. “The strategy allows each DNS provider to use separate zone keys for signing records, but all providers must agree on the total set of DNSSEC keys used. This enables the successful validation of the authenticity of records between multiple DNS providers.”

V?elák and Shumon Huque, Principal Software Engineer at Salesforce, were the co-authors of the IETF design, along with several other industry leaders. The NS1 and Salesforce teams worked together to achieve the actual implementation. This in turn was done by using NS1 Managed DNS and the open source DNS platform BIND.

Open source component

“Our REST API allows NS1 DNS to retrieve public keys, which are used for signing. It is also possible to publish the final DNSKEY record set and signatures,” explains V?elák. At the same time, we are building an open source component that makes it possible to run NS1 and any common open source DNS server (e.g. BIND) in the multi-signer DNSSEC configuration.

According to Stockhouse, cybercriminals are increasingly focusing on DNS because of the crucial role it plays in modern applications. The alarming increase in DNS-focused attacks recently led to new guidelines from Internet authorities such as ICANN and DHS. This calls for more attention to be paid to best practices in the field of security.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.