The .net domain joins the DNSSEC fold
With 13 million registered names, its the largest to employ security extensions
- By William Jackson
- Dec 10, 2010
Domain name records in the .net Top Level Domain have been digitally signed with the DNS Security Extensions (DNSSEC) that help secure the Internet infrastructure against hijacking and misdirection of traffic.
With more than 13 million registered domain names, .net is the latest and largest domain to implement DNSSEC. The signing was announced Friday by VeriSign Inc., an Internet infrastructure services provider that operates two of the Internet’s 13 root servers -- a.root-servers.net and j.root-servers.net.
The Domain Name System maps Internet domain names such as gcn.com to numerical IP addresses and underlies nearly all Internet activities. DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This will help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to misdirect traffic to malicious sites for fraud and the distribution of malware.
Rod Beckstrom, president and CEO of the Internet Corporation for Assigned Names and Numbers, said in opening remarks at the ICANN International Meeting in Cartagena, Colombia, this week that securing the Internet’s unique identifier system is a primary mission of the organization.
“With the potential for many more parts of our lives to move online, ensuring the stability and resilience of the Domain Name System and sufficient expansion of Internet capacity have become defining requirements of modern life,” he said.
Can .gov trust .com?
How DNSSEC provides a baseline of Internet security
He called DNSSEC a main component of that security effort and the greatest structural improvement to DNS in 20 years. “When fully deployed, it will make substitution, redirection or man‐in‐the‐middle attacks more difficult by cryptographically protecting DNS data with digital signatures and keys,” he said. “This ensures that information has not been modified while in transit from its authoritative source.”
To be fully effective, DNSSEC must be deployed throughout the Internet’s domains. The Internet’s 13 root zone DNS servers have been digitally signed since May. On July 15 the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests. The publication of the trust anchor for the Internet root makes it possible to begin linking together the “islands of trust” that have been created by the deployment of DNSSEC in isolated domains.
The .edu zone became one of the first Top Level Domains to be signed early this year, and 50 TLDs have been signed in addition to the root. Plans to sign at least a dozen more are in the works, including the largest of all, .com, in the first quarter of next year. Signing .com is expected to help push DNSSEC to critical mass, when completed chains of trust will allow browsers to cryptographically validate DNS information between any two domains.
The .gov Top Level Domain was signed in 2009, and agencies were supposed to deploy it within their domains by December 2009. But a year after that deadline, the signing of agency domains remains far from complete. Tests of 1,185 federal .gov domains in September found only 421, or 36 percent, could be successfully authenticated using DNSSEC.
Determining the exact number of government domains is difficult because there is no authoritative public source. Internet Identity, the security company that performed the September tests, was able to identify 2,941 .gov domains then in use, but the majority of them — 57 percent — were run by state and local governments, which are not required to implement DNSSEC. Only 1,185 of the sites identified, or 40 percent, are owned by federal agencies. But there could be as many as 2,000 other .gov domains registered by federal, state and local agencies.
The government website dnsops.gov, which provides a snapshot of DNSSEC deployment in federal domains, showed a total of 334 domains signed as of Dec. 10.