Skip Links

Security tightened for .org

Public Interest Registry runs largest-ever domain to adopt DNS security extensions

By , Network World
June 02, 2009 12:03 AM ET

Network World - The Public Interest Registry will announce today that it has begun cryptographically signing the .org top-level domain using DNS security extensions known as DNSSEC.

DNSSEC is an emerging standard that prevents spoofing attacks by letting Web sites verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities including the Kaminsky Bug, a DNS flaw discovered last summer that allows a hacker to redirect traffic from a legitimate Web site to a fake one without the user knowing.

"DNSSEC is a needed infrastructure upgrade," says Alexa Raad, CEO of the Public Interest Registry (PIR). "It has passed the threshold of being a theoretical opportunity to being a practical necessity. The question then becomes: How do we make it work?"

With 7.5 million registered names, .org is the largest domain to deploy DNSSEC.

Current DNSSEC users include country code domains run by Sweden, Puerto Rico, Bulgaria, Brazil and the Czech Republic.

"Us signing the zone is a very important step, but it's also a symbolic step," Raad says. "A large [generic top-level domain] has now signed their zone. It will signal to all the other players in the chain that it is time to work very seriously on the software and applications to make DNSSEC viable in the near future."

PIR announced plans to deploy DNSSEC last June, and in December it vowed to share its experiences with members of the DNSSEC Industry Coalition. The coalition includes leading domain name registries such as VeriSign, NeuStar and Afilias as well as DNS software providers NLnet Labs, Secure64 and InfoBlox.

Raad says it's important for PIR to share its experiences with DNSSEC because "this is not something that one actor can take on. It does take a village, to borrow a phrase, to do it properly."

One recommendation that PIR is making to the industry is that DNSSEC deployments use the newer NSEC3 algorithm rather than the older NSEC, which is less secure and requires more processing

PIR also is prompting the DNSSEC Industry Coalition to develop operational procedures such as how to transfer domains from a register that supports DNSSEC to one that doesn't.

"We take this as an immense responsibility," Raad says. "We want to make sure that prudence and caution take way over haste" with our DNSSEC deployment.

On June 2, PIR will announce that it is signing the .org domain with NSEC3 and that it has begun testing DNSSEC with a handful of registrars using first fake and than real .org names. PIR plans to keep expanding its testing over the next few months until the registry is ready to support DNSSEC for all .org domain name operators.

Raad says she expects full-blown DNSSEC deployment on the .org domain in 2010.

"I don't expect it to be this calendar year," she says. "This is about learning and sharing our learning with industry."

The good news for .org domain name holders is that PIR's DNSSEC testing and deployment won't affect their day-to-day operations.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News