DNSSEC for .org domains

At the 38th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Brussels, the Public Internet Registry (PIR) announced today that, effective immediately, it will accept signed domain names from everyone. Once an active key for the central root zone has been published, which is scheduled to happen on the 15th of July, the eight million owners of .org domains will be able to fully protect their addresses against cache poisoning and man-in-the-middle attacks. DNSSEC (Domain Name System Security Extensions) represents "a significant step closer to a more secure DNS", said ICANN CEO Rod Beckstrom, but continued that "it would be a mistake to think that it is going to solve all the problems involved in cyber security." He said intrusions such as DDoS and phishing attacks continue to be a threat.

Since the "Kaminsky bugs" were demonstrated at a Black Hat conference about two years ago, the implementation of protective cryptography measures for the Domain Name System via DNSSEC has been a top priority. Today, Dan Kaminsky praised DNSSEC as the "right solution" to replace the initially applied quick "band aid". The protocol that matches the public key of a zone with the private key is, in principle, a simple affair and its implementation doesn't need to be expensive, he said.

PIR CEO Alexa Raad noted that zone operators constantly need to upgrade in terms of their infrastructures anyway. In Raad's opinion, educating customers is a much more significant factor because it allows the registrars to successfully sell DNSSEC. In Brussels, GoDaddy, one of the largest domain registrars worldwide, announced a multi-stage rollout of DNSSEC. Talking to The H's associates at heise online, CEO Warren Adelman explained that GoDaddy will initially only pass names that have been signed by customers themselves to the PIR. He said a solution in which GoDaddy will sign names for customers will only become available in September.

According to Raad, the first .org domain address to be signed today was that of the Internet Society (isoc.org). In the event, this, of all signatures, included a typing error which temporarily made validation impossible. However, the problem was solved immediately and the domain was accessible at all times, said ISOC CEO Lynn St. Amour. Servers which already validate did produce an error message, of course. Roland van Rijswijk of SURFnet, an organisation that specifically monitors DNSSEC validations soon noticed the ISOC flaw and pointed out numerous other minor problems, for instance with DNSSEC-signed .gov addresses. Ram Mohan of PIR backend provider Afilias explained that one of the reasons for failure is key expiry. Mohan said that keys with overlapping validity periods – like those used for the signed variant of the .de zone – are therefore used for .org, but added that this wasn't the case everywhere.

However, despite much enthusiasm and an atmosphere of departure in Brussels, many market participants currently prefer to wait. And this isn't necessarily all down to the introductory effort: DNSSEC does not allow redirections, which are used by some providers to deploy advertising and are considered potential blocking mechanisms by various authorities.

(Monika Ermert)

(Monika Ermert / crve)