A new domain signs on with DNSSEC
Security spreads wider on the Internet
- By William Jackson
- Sep 09, 2010
The .info top-level domain, the Internet’s seventh largest TLD with more 6.5 million registered domains within it, was digitally signed on Sept. 1 to enable use of the DNS Security Extensions. The delegation signer records have been published in the DNS Root to enable validation of signatures on Domain Name Service query responses.
The signing is part of an effort by Afilias Ltd. of Dublin, a provider of Internet registry and back-end services, to deploy DNSSEC to 13 additional TLDs by year end. There will be a “friends and family” period during which the signatures will be used within a handful of .info domains before it is rolled out to the entire registered population.
Need t o deploy DNSSEC? NIST publishes its how-to
How DNSSEC provides a baseline of Internet security
Affiias to deploy DNSSEC to 16 TLDs this year
The Domain Name System maps domain names to IP addresses and underlies nearly all Internet activities. DNSSEC enables digital signatures on DNS data and query responses so they can be authenticated with public cryptographic keys, making them harder to spoof or manipulate. This will help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware.
To be fully effective, DNSSEC must be deployed throughout the Internet’s domains. The Internet’s 13 root zone DNS servers have been digitally signed since May. On July 15, the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests. The publication of the trust anchor for the Internet root means it now is possible to begin linking together the “islands of trust” that have been created by the deployment of DNSSEC.
The Office of Management and Budget mandated the deployment of DNSSEC in the .gov domain, which contains about 4,000 domains, last year. Agencies have begun signing second-tier domains, such as gsa.gov. The largest top-level domain to deploy DNSSEC to date has been .org, which contains about 8 million domain names. The Internet’s largest domain, .com, with around 80 million registered domain names, is expected to be signed next year.
In the meantime, Afilias has announced its Project Safeguard, which is intended to expand the implementation of DNSSEC from 26 to 39 TLDs this year. This effort, along with the signing of .com, could help to push DNSSEC to critical mass, creating a demand for Internet service providers to enable DNSSEC on their networks so that digitally signed DNS query responses can be validated for customers. Use of DNSSEC signatures is expected to be available to more than 100 million domains, or nearly half of the Internet, by the end of 2011.
Afilias is the registry for .info, meaning that it maintains the domain names that are sold by the registrars within that domain. The domain was created in 2001as the first generic TLD launched since .com.
Afilias also will be enabling DNSSEC in another 12 TLDs that it supports by providing back-end services.
Participants in the “friends and family” period for familiarizing users with DNSSEC within .info will include afilias.info, info.info, shinkuro.info, Comcast.info and 19 other domains within Comcast.
William Jackson is a Maryland-based freelance writer.