Fast start of DNSSEC with .net and .com
At the end of last week, US company VeriSign announced the roll-out schedule for the authentication of.com and .net zones. From the 9th of December, .net domains are to be authenticated via keys that are based on the new DNSSEC (Domain Name System Security Extensions) protocol and stored in the Domain Name System (DNS). Responses that don't originate from the server that was authorised for a domain will be detected when signatures are validated.
Signatures for .net domains have been available since the 29th of October, but they cannot be validated yet. Signatures for the .com zone are to follow in March; users will be able to protect their own .com domains with DNSSEC signatures shortly afterwards. This is mainly designed to prevent future cache-poisoning attacks.
For .net and .com, VeriSign will utilise the experience gained while signing the root zone. As with the root zone, the vendor will adopt a step-by-step procedure. At present, two of the thirteen .net name servers provide the signed zone. If any teething problems are encountered, the initially non-validated signatures allow users to return to the unsigned zone. Experts say that this is also a potential DNSSEC start scenario for large recursive resolvers, that is, Internet Service Providers. Only recently, Comcast announced the switch to DNSSEC-validating DNS resolvers.
VeriSign's announcement said the providers of .net and .com domains will be able to choose when they want to deposit signatures for their customers' domains with the registry. VeriSign enabled registrars to forward key information to the registry on the 25th of September. In February 2011, this will become possible for .com addresses.
According to a survey conducted by the Internet Corporation for Assigned Names and Numbers (ICANN), 60 out of 294 Top Level Domains are currently offering DNSSEC signatures, while 44 have deposited their keys in the root zone. The co-existence of multiple TLD key deposits is currently still being discussed. For users who wish to find out whether they can already use DNSSEC, VeriSign is offering a quick check at test.dnssec-or-not.org. (Monika Ermert)
(Monika Ermert / crve)