The Public Interest Registry will add an extra layer of security known as DNS Security Extensions (DNSSEC) to the .org domain in June -- a move that will protect millions of non-profit organizations and their donors from hacking attacks known as cache poisoning.
In a cache poisoning attack, traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
DNSSEC is an emerging Internet standard that prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption
The Public Interest Registry announced Thursday that it will support DNSSEC for first and second-level .org domain names. With nearly 8 million registered domain names, the .org domain is one of the Internet's largest generic top-level domains to deploy DNSSEC.
"When we first announced last year the signing of our zone, we showed that DNSSEC was not a utopian vision, but that it was needed for the future of the Internet," says Alexa Raad, CEO of The Public Interest Registry. "Everything runs on DNS. If you believe that there are going to continue to be more and more applications that run on DNS, then you have to think about DNSSEC."
Raad expects operators of .org Web sites to rapidly deploy DNSSEC.
"There are credit unions that use .org…and there are non-profit organizations that are in fundraising and have been targets for attacks, some of them quite public," Raad says. DNSSEC "will allow our customers who require security to have it."
The Public Interest Registry and its back-end services provider Afilias have been testing DNSSEC since last summer. They are working with 10 registrars to sign DNS queries. Several high-profile Web sites including www.ietf.org run by the Internet Engineering Task Force and www.isoc.org run by the Internet Society are signing their domains as part of the .org domain's ongoing DNSSEC trial.
"There have not been any significant problems," says Jim Galvin, director of strategic partnerships and technical standards with Afilias. "Testing has done for us what it's supposed to do. We've been engaging with all of the parties in terms of deploying DNSSEC and ensuring that it's ready for the broader community."
DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .org and other top-level domains, down to the servers that cache content for individual Web sites. All of these pieces must be in place for DNSSEC to protect an individual Web site.
The timing of .org's deployment of DNSSEC is ideal, given that the Internet's root zone will be signed on July 1.
Other top-level domains that are in the process of deploying DNSSEC or have already done so include the U.S. federal government's .gov domain and country code top-level domains operated by Sweden, Puerto Rico, Bulgaria and Brazil.
VeriSign says it will support DNSSEC in the .edu domain by the second quarter of 2010, the .net domain in the fourth quarter of 2010, and the .com domain in the first quarter of 2011.
In related news, Comcast is the first U.S. carrier to announce a public trial of its DNSSEC signing and resolution services.
"All of these DNSSEC announcements are coming one after another," Raad says. "The net of it is that if you have customers that are looking for secure applications, if you have customers that want to ensure themselves against identity theft, then you've got to start planning to support DNSSEC, and you've got the lead time to do it."
Galvin says CIOs need to realize that the time to deploy DNSSEC is now.
"The tipping point is here," Galvin says. "With the network operators moving along with products, and the service providers stepping up to offer managed services for enterprises and for individuals, I think that if you're not planning for DNSSEC now, you are behind the curve."