[Infowarrior] - Security Tightened for .org Domain

Richard Forno rforno at infowarrior.org
Wed Jun 3 19:39:56 UTC 2009 

Security Tightened for .org Domain

Carolyn Duffy Marsan, Network World

Tuesday, June 02, 2009 6:42 AM PDT

http://www.pcworld.com/businesscenter/article/165916/security_tightened_for_org_domain.html


The Public Interest Registry will announce today that it has begun  
cryptographically signing the .org top-level domain using DNS security  
extensions known as DNSSEC.

DNSSEC is an emerging standard that prevents spoofing attacks by  
letting Web sites verify their domain names and corresponding IP  
addresses using digital signatures and public-key encryption.

DNSSEC is viewed as the best way to bolster the DNS against  
vulnerabilities including the Kaminsky Bug, a DNS flaw discovered last  
summer that allows a hacker to redirect traffic from a legitimate Web  
site to a fake one without the user knowing.

"DNSSEC is a needed infrastructure upgrade," says Alexa Raad, CEO of  
the Public Interest Registry (PIR). "It has passed the threshold of  
being a theoretical opportunity to being a practical necessity. The  
question then becomes: How do we make it work?"

With 7.5 million registered names, .org is the largest domain to  
deploy DNSSEC.

Current DNSSEC users include country code domains run by Sweden,  
Puerto Rico, Bulgaria, Brazil and the Czech Republic.

"Us signing the zone is a very important step, but it's also a  
symbolic step," Raad says. "A large [generic top-level domain] has now  
signed their zone. It will signal to all the other players in the  
chain that it is time to work very seriously on the software and  
applications to make DNSSEC viable in the near future."

PIR announced plans to deploy DNSSEC last June, and in December it  
vowed to share its experiences with members of the DNSSEC Industry  
Coalition. The coalition includes leading domain name registries such  
as VeriSign, NeuStar and Afilias as well as DNS software providers  
NLnet Labs, Secure64 and InfoBlox.

Raad says it's important for PIR to share its experiences with DNSSEC  
because "this is not something that one actor can take on. It does  
take a village, to borrow a phrase, to do it properly."

One recommendation that PIR is making to the industry is that DNSSEC  
deployments use the newer NSEC3 algorithm rather than the older NSEC,  
which is less secure and requires more processing.

PIR also is prompting the DNSSEC Industry Coalition to develop  
operational procedures such as how to transfer domains from a register  
that supports DNSSEC to one that doesn't.

"We take this as an immense responsibility," Raad says. "We want to  
make sure that prudence and caution take way over haste" with our  
DNSSEC deployment.

On June 2, PIR will announce that it is signing the .org domain with  
NSEC3 and that it has begun testing DNSSEC with a handful of  
registrars using first fake and than real .org names. PIR plans to  
keep expanding its testing over the next few months until the registry  
is ready to support DNSSEC for all .org domain name operators.

Raad says she expects full-blown DNSSEC deployment on the .org domain  
in 2010.

"I don't expect it to be this calendar year," she says. "This is about  
learning and sharing our learning with industry."

The good news for .org domain name holders is that PIR's DNSSEC  
testing and deployment won't affect their day-to-day operations.

"It's important to note that .org domain holders don't have to do  
anything," Raad says. "Their domain names will function as usual."

Raad says enterprise network managers should start asking their ISPs,  
domain name registrars and DNS vendors what they are doing to support  
DNSSEC.

First envisioned in 1995, DNSSEC efforts have ramped up dramatically  
since last summer when the Kaminsky bug was discovered.

The U.S. federal government is deploying DNSSEC across its .gov domain  
this year, with plans for all sub-domains to be signed by the end of  
2009.

VeriSign has committed to deploying DNSSEC across .com and .net by 2011.

But the Internet engineering community is waiting for the U.S. federal  
government to deploy DNSSEC across the root zone.

More DNSSEC news is anticipated next week because the DNSSEC Industry  
Coalition is hosting a symposium in Washington D.C. June 11 and 12 to  
discuss DNSSEC deployment issues including how best to sign the root  
zone.

More information about the Infowarrior mailing list