Another domain adopts added DNS security
Progress on DNSSEC continues, with two more domains expected later this year
The Public Interest Registry, which operates the .org generic top-level domain, announced today that it has completed deployment of Domain Name System Security Extensions, which provide an additional level of security to the DNS. The full deployment tops off a two-year deployment and testing period of DNSSEC in 18 live “friends and family” domains within .org.
“What happened today was enabling potentially all of the .org domain owners to begin signing their zones,” using DNSSEC, said Public Interest Registry Chief Eexecutive Officer Alexa Raad, who made the announcement at a meeting of the Internet Corporation for Assigned Names and Numbers in Brussels, Belgium. “We have at least three registrars that are operationally capable of serving customers who want to sign their zones.”
Those registrars, who sell and register domain names within .org, are Names Beyond, DynDNS and GoDaddy, the world’s largest registrar.
How DNSSEC provides a baseline of Internet security
DNSSEC’s early adopters provide test beds for others
Can .gov trust .com?
The DNS maps domain names to IP addresses and underlies nearly all Internet activities. DNSSEC lets responses to DNS queries be digitally signed so they can be authenticated with public cryptographic keys, making them harder to spoof or manipulate. This can help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware. Both sides of an exchange must be using DNSSEC in order for it to work.
The .org domain is the third largest of the generic TLDs, behind .com and .net, and has about 8 million registered domains. The .gov TLD, which singed up for DNSSEC last year, has about 3,700 domains registered.
“We owe a debt of gratitude to a number of players who have made today happen,” Raad said, including the General Services Administration, which administers .gov.
The .gov TLD is ready to accept signed DNS records from second-tier domains, such as gsa.gov, although few agencies have begun using the technology. But the deployment of DNSSEC within .org provides another “island of trust” with which .gov can securely exchange and authenticate DNS records.
Other top-level domains are preparing to follow the lead of .org and .gov, and in May the last of 13 servers in the DNS’s authoritative root zone was digitally signed, paving the way for the publication in July of the root trust anchor that will remove a major hurdle for the widespread adoption of DNSSEC. The DNS root zone is overseen by the Commerce Department’s National Telecommunications and Information Administration and the files are managed by VeriSign Inc. The effort by NTIA, VeriSign and ICANN to deploy DNSSEC in the root zone has been called the biggest structural improvement to the DNS in 20 years.
The two largest generic top-level domains, .net and .com, are expected to be signed in the fourth quarter of this year and the first quarter of next year, respectively. The .edu TLD has already been signed and has been acting as a testbed for DNSSEC deployment, although keys have not yet been published. Plans originally called for .edu to go live before now, but when plans were announced to finalize the root zone in July, .edu administrators decided to delay publication of keys until this summer.
The effectiveness of DNSSEC in securing DNS will depend on its widespread adoption by domain owners and applications such as Web browsers that can authenticate the signed responses.
“All of the elements that enable us to reach critical mass are there,” Raad said. However, “customers must be educated about the benefits. They are not calling up and saying, ‘please give me DNSSEC.’”
When customers learn that greater assurance for their Web traffic is available they will begin expecting it, she said. She said that early adopters of DNSSEC are expected to be financial institutions, along with charities whose Web sites often are targeted by scammers in the wake of high-profile disasters.
DNSSEC authentication is included in Microsoft’s Windows 7 operating system, and will check for and verify signed DNS query responses.