The .org domain set to sign off on largest DNSSEC implementation to date
Will join government on DNS protection; .com and .net still to follow
The Public Interest Registry, which operates the .org top-level domain, expects to complete deployment of the Domain Name System Security Extensions (DNSSEC) in the .org registry in June by accepting second-level signed zones.
“Dot-org is the largest of any zone to be signed to date,” said Jim Galvin, technical standards director for Afilias Ltd. of Dublin, Ireland, the registry’s back-end service provider. “The only zones larger are .com and .net, and they won’t come around until later this year.”
The .org space has more than 7.5 million domains registered in it. The .gov top-level domain has about 3,700 domains registered in it.
Government implements DNSSEDC on the .gov domain
The completion tops off a two-year testing period of DNSSEC in 18 live “friends and family” domains within .org and follows the signing of the .gov top-level domain last year. Galvin called it a “tipping point in the deployment of DNSSEC,” which is increasingly seen as essential to securing the Domain Name System (DNS) that underlies the Internet.
DNS maps domain names to IP addresses and underlies nearly all Internet activities. DNSSEC lets DNS queries and responses be digitally signed so they can be authenticated with public cryptographic keys, making them harder to spoof or manipulate. This will help to combat attacks such as pharming, cache poisoning and DNS redirection that are used to commit fraud and identity theft and to distribute malware. Both sides of the exchange must be using DNSSEC in order for it to work, and it will be months before the new security service is rolled out to domains registered within the top-level domain.
“Given that .com and .net will be following in six or seven months, now is the time for enterprises and application service providers to begin planning how DNSSEC will be included in the services they offer,” Galvin said.
Successful use of DNSSEC requires wide-scale deployment throughout the online environment, so that chains of trust for obtaining keys and verifying digital signatures are created from individual users and applications up to registrars running domains.
The technology has existed for several years, but until recently was not seen as essential. This attitude changed in 2008 with the discovery of a basic flaw in the DNS protocols that simplified DNS cache poisoning. The discovery spurred the government to mandate deployment of DNSSEC in the .gov space, and second-tier domains within that space should begin digitally signing DNS records this year.
“We took a very measured approach to our testing,” Galvin said of the .org implementation, and no major problems have been found. “Any glitches were ordinary things that you would expect to find,” he said.
Glitches included possible issues caused by the increased size of digitally signed DNS query responses and one bug in a technical standard. The bug is that cryptographic key tags used to identify keys uploaded to a registry are not necessarily unique identifiers, which could result in multiple keys inadvertently being deleted from a system.
“That presents a potential risk to clients,” whose still-active keys could be removed, Galvin said. That problem is being addressed in the standard, and in the meantime .org is handling the problem by requiring that entire key lists be updated rather than individual keys deleted.
The increased size of packets in DNS query responses can create problems for home and small-office broadband routers and firewalls doing DNS resolution. A test of the devices showed that most devices cannot receive a DNS response exceeding 512 bytes without defaulting to using TCP rather than User Datagram Protocol, which is part of the TCP/IP suite and is usually used for DNS queries and responses.
“TCP traffic increases to the DNS server” with DNSSEC, Galvin said. TCP currently accounts for about 2 to 3 percent of DNS traffic, but “with the signing of .org we expect to see a significant increase in client-side resolution,” with a corresponding increase in TCP traffic. That could pose bandwidth problems for some networks.
Fortunately, “ISPs can mitigate the problem by doing the resolution themselves,” rather than having client-side routers and firewalls handle the task, he said.
Comcast, the nation’s largest ISP, has announced that it will be doing resolution in its network.
All registrars interested in providing signed second level zones will have to pass a DNSSEC certification test.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.