Security strengthened for .org domain
DNS Security Extensions signs .org as first open top-level domain
- By William Jackson
- Jun 03, 2009
The Public Interest Registry, which manages the .org top-level domain, yesterday digitally signed the .org zone using the Domain Name System Security Extensions (DNSSEC).
DNSSEC lets DNS queries and responses be digitally signed so they can be authenticated and are harder to spoof or manipulate. But both sides of the exchange must be using DNSSEC in order for it to work, and it will be some months before the new security service is rolled out to domains registered within the top-level domain.
“We want to do this in a responsible manner,” said Lance Wolak, director of marketing and product management for PIR.
During a beta-test phase the extensions will be trialed in a test bed with domains registered specifically for testing. “When all goes well with that, we will reach out and begin working with live domains,” Wolak said. “We expect to be doing this throughout the rest of this year and into 2010.”
The signing came three months after the government implemented DNSSEC protocols throughout the top tiers of the federal Internet space by signing the .gov top-level domain. Agencies are to begin deploying DNSSEC within their second-level domains, such as gsa.gov, by the end of the year. Rolling the security extensions out in the .org domain will be a significantly larger undertaking. The .org is the third largest of the open top-level domains — behind .com and .net — with more than 7 million registered domains. The .gov top-level domain has about 3,700 domains registered in it.
The 26-year-old DNS maps domain names to IP addresses and underlies nearly all Internet activities. DNS replaced the host-table naming system, which dates back to the Internet’s predecessor the ARPAnet and predates the implementation of TCP/IP. With the host table, a centrally managed file maintained by the Network Information Center at Stanford University was updated every week or so to map between host names and location on the network. Network users could download the file to get up-to-date addresses. That was adequate during the pioneering days of the interconnected network, but would not scale to the levels needed as the Internet grew. DNS is a distributed, hierarchical scheme that lets everyone look up addresses without having to maintain a separate copy.
DNS has been successful at scaling to serve the Internet community, but like the rest of the Internet infrastructure, it was not built with security in mind. The possibility of DNS caches being poisoned by hackers to misdirect or hijack traffic has been known for some time, and in late 2006, new federal information security requirements called for agencies to use DNSSEC signatures on DNS servers that are classified as moderate or high-impact information systems. Little implementation was done, however, in part because most servers were classified as low impact and in part because managing DNS can be complicated, involving the management of cryptographic keys and digital signatures that are valid for only a month.
But last July a significant flaw in the protocols was announced that made securing the system more urgent, and OMB issued a memo requiring deployment of DNSSEC to the .gov space in 2009.
PIR began looking toward DNSSEC implementation for .org in 2007.
“It has been a two-year effort,” Wolak said. In June 2008, the Internet Corporation for Assigned Names and Numbers, which oversees Internet management, approved PIR’s proposal. The registry formed an industry coalition to determine the best design and practices for implementing DNSSEC. Because of the complexity of managing cryptographic signatures for DNS entries, the collaboration and sharing of experiences has been important to getting the security extensions into the zone, Wolak said. PIR has been watching the .gov implementation closely.
“It is best not to go alone in this,” he said. “Involve others in the industry to participate with you.”
William Jackson is a Maryland-based freelance writer.