RealTime IT News

.ORG Gets Really Secure

The .org top-level domain (tld) is now signed with DNSSEC (DNS Security Extensions) to help protect against DNS hijacking.

The effort gained steam last year when .ORG announced its intention to secure itself with DNSSEC. It's an effort that involved millions of dollars of effort, according to the technical operator of .ORG, Afilias.

DNSSEC is a key technology that provides a way to digitally sign domain information to help ensure its authenticity. It has been hailed as the solution to DNS vulnerabilities first reported by security Dan Kaminsky in 2008 that had the potential to disrupt all Internet traffic. Though the main .org domain is now signed, there is still much work to be done until all .org domain holders benefit from DNSSEC security.

"In September, we said we were locking down the steps and working toward getting it signed, and that was a significant announcement," Ram Mohan, CTO of Afilias and the technology provider for the .ORG registry, told InternetNews.com. "Now we've done what we promised we would do eight months ago."

The last eight months have not been without challenges that Affilias had to overcome to get .ORG signed, including bugs discovered and fixed in the core BIND DNS software used.

"The biggest surprise for me was realizing how many processes we had to invent. Simple things like, so you have signed the zone, but how are you going to protect the key? There are no standards for that," Mohan said. "The lack of a uniform deployment methodology was probably our single biggest challenge."

The move to DNSSEC also involved significant resources, time and effort. Ram said Affilias has been involved with signing .org for more than two years. At the peak of the effort, he said there was a team of 30 to 40 people working on it on a full-time basis. The effort wasn't so much about hardware, according to Ram, but was more about the people cost and getting the expertise.

Ram did not provide a specific figure for how much the DNSSEC effort cost, but it he did give a rough estimation.

"If I had to give you a ballpark, I'd say we're definitely into the seven figures," Ram said. "It was a multi-million dollar exercise for us."

What is protected?

While the top level of .org is now signed with DNSSEC, it does not mean that all .org domain holders are automatically protected.

Ram explained that a good way to think of how the system works is to think of it as a pyramid. At the top level of the pyramid is .org, which is managed by PIR, the Public Interest Registry, and operated by Afilias.

"Everything we do for .org has an impact on all the layers of the pyramid," Ram said. "If you touch the top, it doesn't mean the levels below automatically get protected, it simply means that when they want to get protected, the top of the pyramid is already ready for them."

So if an individual .org domain owner wants to get DNSSEC signed, they just need to get it set up either through their own domain registrar, on their own DNS server, or by way of a third-party service like Affilias' one-click DNSSEC service.

Getting enough registrars on board to support DNSSEC for .org is a key next step, said Ram.

"We now have only two out of a total of close to 400, so obviously that number has to increase so consumers have choice and can stay with their existing registrars, Ram said.

While .org is now being set up for DNSSEC, other top-level domains, including .com, still need to be signed. VeriSign (NASDAQ: VRSN), the vendor that operates .com, has told InternetNews.com that they are working on a DNSSEC testbed, although no firm date has been set for broad deployment.

Afilias operates 15 other top-level domains, including .info and .in (India). Ram said .org is the largest, with some 7 million registered domains.

"Clearly .org is the flagship and one of the most trusted domains on the Internet, and it made the most amount of sense for that to be the strategic priority," Ram said.