The .ORG,
Public Interest Registry (PIR) gTLD (generic top level domain) is perhaps best known as the non-profit registry for millions of organizations. It could also soon be known as a more secure domain space too, as .ORG adopts the DNSSEC (DNS Security Extensions), a set of extensions used to add an additional layer of security to the Domain Name System (DNS).
The move by .ORG to improve security for its DNS (which usually stands for Domain Name System, or Service or Server, the service that translates domain names into IP addresses) comes at a critical time for the world’s DNS infrastructure.
Security researcher Dan Kaminsky recently exposed a critical flaw in the DNS system, for which DNSSEC may well be the best long term solution for protecting the integrity of Internet and its traffic flow.
“The argument we’re trying to make is that there is a very real problem that DNSSEC solves and once we implement it within .org, it will be secure,” .ORG’s CEO Alexa Raad told InternetNews.com. ” There are other security issues, but DNSSEC solves a very specific problem which is highjacking traffic that could be unknown to the user.”
DNSSEC provides a form of signed verification for DNS information, which is intended to assure DNS authenticity. The Kaminsky flaw in DNS highlighted how without a form of DNS security a DNS server’s traffic could be highjacked in a cache poisoning attack redirecting users to arbitrary addresses without a users knowledge.
DNS vendors, including ISC, the lead sponsor behind the open source BIND DNS server, as well as Microsoft and others have patched their DNS implementation in order to make a potential cache poisoning attack more difficult to achieve.
Kaminsky, ISC and others have argued that DNSSEC is the best long term solution to solving the issue.
PIR first announced that it was launching an initiative to implement DNSSEC across .ORG in July several weeks after Kaminsky first disclosed his DNS flaw. Raad noted that the decision to move to DNSSEC was not a ‘knee jerk’ reaction to Kaminsky and that PIR had actually been involved in DNSSEC effort for the past two years. Radd argued that what Kaminsky’s disclosue did however was create awareness around the issue to give it the broader attention that it deserves.
That said just because PIR announced that .ORG was going to implement DNSSEC doesn’t mean that all of .ORG today is actually secured by DNSSEC today. In fact the road towards full adoption will take time and effort.
“Efforts are going really well, this is not a product launch but an iterative rollout,” Raad said. “We’re the first gTLD to implement DNSSEC and we are breaking it out into several phases, with the first phase being friends and family. So far we have been able to talk to a number of registrars that are interested a number of whom are large hosting vendors. ”
Raad added that she expects to have the friends and family phase completed by early 2009. After which the plan is to expand it further to bring in more registrars and registrants.
Ram Mohan CTO of Afilias which is PIR’s technology provider for the .ORG registry explained that at the top of the Internet chain are the root servers and inside of that is the entry for .org, which is what Afilias manages for PIR.
Mohan explained that with DNSSEC in place what will happen is a .org domain owner will first create a signature and then submit the signed domain to their registrar. The registrar then will have a secure interface that they can send into PIR. What PIR will do is it will marry the name server information with the security keys and in the DNS zone file that they publish, the zone file will have the key information provided right there.
“What that means is that all across the world when you send your key across, within seconds your domain name is validated and it will be propagated across PIR’s authoritative name servers,” Mohan said.
Getting all the various moving parts of the global DNS system to line up behind DNSSEC to date has been a challenge, though Raad noted that the Kaminsky flaw has made it easier with more awareness. Beyond awareness Raad added that there is also a technical challenge to face as well. In her view the development of applications and tools that enable all the participants to enable DNSSEC and to be able to test it and then offer it to customers is also an ongoing effort.
Though the initial rollout of DNSSEC at .ORG will not include all domain holders, Raad argued that they don’t have to have everyone participating, at least at the beginning. In her view PIR can take the lessons learned from the initial friends and family deployment and use them in an iterative model as the deployment expands.
“There are a lot of folks that are involved in the chain ultimately and nothing can be done in a day, Rome wasn’t build in a day” Raad said. “We think that the end result being a secure DNS is ultimately worth it because of all the applications that ride on the DNS infrastructure and will continue to. How do we get there from here? The smart way is an iterative process and then isolate where you can accelerate adoption. We feel that getting root signed is an important first step.”
VeriSign which manages the .COM registry is also exploring DNSSEC however in an interview with InternetNews.com earlier this year, VeriSign CTO Ken Silva SSL
Mohan does not disagree that SSL is a good technology to have however in his view it solves a different problem then the one that DNSSEC will ultimately provide.
“SSL is the wrong hammer because this is not a nail,” Mohan stated.
Mohan argued that SSL secured sites, even those that use EV-SSL (extended validation) could be hijacked. He noted that most users just click through to a domain and that if the DNS information has been compromised they will still be at risk.
“SSL doesn’t solve the hijacking problem it solves a different problem,” Mohan commented. “At this point it’s the only tech we know of that does it in an effective and reliable way.”
While SSL certificates are a revenue stream for VeriSign, the move toward DNSSEC for .ORG does not have a revenue component.
“Our motivation for implementing DNSSEC within .ORG is not commercially driven, we have no other product and this is not a money maker for us,” Raad said. ” We’re a non-profit registry, the motivation for us is something more long term and that is to help in the upgrade of the Internet overall. So even though we look forward to .org being signed, we’re looking forward to sharing the results of our experience so we can encourage other registries to upgrade their infrastructure.”