2011/04/07

Verisign has enabled DNSSEC in the ".com" Top Level Domain

The world largest top level domain, “.com” has been fired up with DNSSEC since end March 2011. This is a huge task considering that there are over 80 million registered ". com" domains and hundreds of anycast server instances throughout the world including one in Hong Kong. I applaud Verisign for keeping its promise.
After performing some tests, I realized that .com only accepts SHA-2 (256 bit) Delegation Signer (DS) records. This is quite acceptable to me as I know SHA-1 (160 biits) has now reached the end of its service lifetime. I hope more IT people with DNSSEC experience can help to verify my findings. Perhaps, I should also further point out that submission of SHA-1 digest of DS to .com might cause some troubles.

As a keen supporter of Internet security, I congratulate Verisign for completing a great mission.

No comments: