Registry operator Afilias embraces DNS security

Afilias will add encryption to .info and 12 other Web site extensions this year

Afilias, which operates .info and more than a dozen other Web site extensions, will announce on Monday plans to deploy an emerging standard known as DNSSEC that adds a layer of encryption to the Internet's Domain Name System.

Will security worries propel DNS into the cloud?

Afilias will deploy DNS Security Extensions (DNSSEC) on 13 of the domains it operates -- including .info, India's .in and the Hong Kong-based .asia -- by the end of the year. DNSSEC prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Afilias, which operates .info and more than a dozen other Web site extensions, will announce on Monday plans to deploy an emerging standard known as DNSSEC that adds a layer of encryption to the Internet's Domain Name System.

Will security worries propel DNS into the cloud?

Afilias will deploy DNS Security Extensions (DNSSEC) on 13 of the domains it operates -- including .info, India's .in and the Hong Kong-based .asia -- by the end of the year. DNSSEC prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

"Afilias supports more different top-level domains across the Internet than any other provider," says Roland LaPlante, senior vice president and chief marketing officer for Afilias."When we start making a move and start expanding the use of DNSSEC, it really makes quite a big difference on the Internet."

The Internet's root servers began supporting DNSSEC on July 15.

Since then, 26 top-level domains -- including .org for non-profits and .edu for universities -- have begun digitally signing DNS look-ups with DNSSEC.

"Afilias supporting DNSSEC is a pretty big increase in the number of top-level domains that support DNSSEC," LaPlante adds.
In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

Afilias says it will support DNSSEC for the .info domain, which has 6.5 million registered names, in September, followed by .in and .asia in early October.

Next, Afilias will roll out DNSSEC for the following domains before the end of the year: Mongolia's .mn; Seychelles' .sc; Honduras' .hn; Belize's .bz ; Antigua and Barbuda's .ag; St. Lucia's .lc ; St. Vincent and the Grenadines' .vc ; Gibralter's .gi; and Montenegro's .me. Afilias also will support DNSSEC for .aero, a Web site name extension restricted to the aviation industry.

Afilias already helped the Public Interest Registry add DNSSEC support to .org.

"We learned a lot from the .org DNSSEC deployment experience," says Ram Mohan, executive vice president and CTO for Afilias. "When you digitally sign a zone, the size of the zone increases. The size and type of queries that you get increase quite a bit. There are all sorts of infrastructure changes that you have to accommodate on the back end, but the end user doesn't really see that much of a change."

Afilias says it has spent several million dollars upgrading its DNS software -- it runs both the BIND and NSD open source offerings -- as well as adding server capacity to support DNSSEC.