This week, Google announced that its Public DNS service fully supports DNSSEC validation. From their blog post:
“We now fully support DNSSEC (Domain Name System Security Extensions) validation on our Google Public DNS resolvers. Previously, we accepted and forwarded DNSSEC-formatted messages but did not perform validation. With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains.”
Nominet said that “Deployment of DNSSEC on this scale is a fantastic achievement, and a sophisticated technical undertaking. We were pleased that our lab teams – including Roy Arends, co-author of the NSEC3 standard alongside Google’s Ben Laurie – were able to support Google in their deployment. Nominet’s DNS monitoring systems identified a specific pattern in the architecture of Google’s DNSSEC deployment and we helped their team to refine and improve its implementation.
In every day terms: DNSSEC prevents cybercriminals from ‘spoofing’ domain names. With the protocol fully implemented, DNS propagated ‘man in the middle’ attacks become much less likely to succeed, making the whole Domain Name System more secure.
We are delighted to see Google taking such a proactive stance by delivering a service which contributes to the growth in trust and security on the Internet. The work on DNSSEC is an important aspect in dealing with cyber crime and we’re proud to play a part in its development. We look forward to future collaborations with the team at Google and others in the industry in this area.”