Public Interest Registry begins moving DNSSEC into live domains

The Public Interest Registry (PIR), which digitally signed its .org zone in June, has begun implementing Domain Name System Security Extensions (DNSSEC) n a test environment for 18 live domains as part of its plan to launch DNSSEC services in the top level domain next year.

The program has achieved a number of milestones in disseminating digital signing keys and records without major problems.

“DNSSEC wasn’t as scary as it was thought to be,” said Lauren Price, senior product marketing manager for PIR. “It is not something to be taken lightly,” but with proper planning it is manageable.

The Domain Name System maps domain names to IP addresses and underlies nearly all Internet activities. DNSSEC lets DNS queries and responses be digitally signed so they can be authenticated with public cryptographic keys, making them harder to spoof or manipulate. But both sides of the exchange must be using DNSSEC in order for it to work, and it will be some months before the new security service is rolled out to domains registered within the top level domain.

PIR assumed registry operations for the .org top level domain in 2003, with back-end technical services being supplied by Afilias Ltd. of Dublin, Ireland. Private registrars sell .org domain names, providing registration and renewal services as a business.

Alexa Raad, chief executive officer of PIR, said implementation of DNSSEC is an essential part of the process of upgrading the Internet infrastructure to provide the security that users of this critical utility require.

“There is a responsibility for the current generation to ensure that the infrastructure is upgraded,” Raad said.

Successful use of DNSSEC requires wide-scale deployment throughout the online environment so that chains of trust for obtaining keys and verifying digital signatures are created from individual users and applications up to registrars running domains. The technology has existed for several years, but, “it was considered a utopian ideal,” Raad said.

The change in attitude came last July, when a basic flaw in the DNS protocols was announced by security researcher Dan Kaminsky. “The 'Kaminsky bug' changed the game,” Raad said. “That was the tipping point. Market demand [for DNSSEC] materialized from that.”

The Office of Management and Budget issued a memo requiring deployment of DNSSEC to the .gov space in 2009. The .gov root was signed in February, and agencies are working to sign their secondary domains by the end of the year. The National Institute of Standards and Technology is providing a testbed environment for agencies to experiment with DNSSEC, and deployment is moving cautiously as vendors develop products to help automate the implementation and management of the protocols.

Rolling the security extensions out in the .org domain will be a significantly larger undertaking than the .gov effort. The .org domain is the third largest of the open top level domains, behind .com and .net, with more than 7.5 million domains registered in it. The .gov top level domain has about 3,700 domains registered in it.

Since signing the .org zone on June 2, PIR has:

  • Pushed its signing key to the Interim Trust Anchor Repository on June 26. ITAR is a mechanism for disseminating keys in a trusted manner so they can be used to verify signed data. It is considered an temporary solution until the DNS root zone itself is signed with DNSSEC, eliminating the need for a long chain of trust.
  • The key was successfully picked up from ITAR by the DNSSEC Look-aside Validation (DLV) on July 6. DLV is an extension to the DNSSEC protocol to help simplify the configuration of recursive servers by providing an access point for DNSSEC validation information. Without DLV, in the absence of a fully signed path from root to a zone users wishing to enable DNSSEC-aware resolvers would have to configure and maintain multiple trusted keys.
  • Manually inserted DNSSEC data for 18 live domains in the “Friends and Family” phase of controlled testing.
  • Successfully rolled over the zone signing key on July 2. DNSSEC signing keys typically are replace every 30 days to enhance security.

Raad said PIR invited .org domain holders to participate in the Friends and Family test phase. “These domain holders are the techy, early adopters,” she said. “Curious types.” Before they entered the program, testing was being done on “throwaway” domains set up specifically for testing DNSSEC. She said new domain holders are welcome to join the testing program.

Reader Comments

Fri, Jul 31, 2009 Jeffrey A. Williams Frisco Texas

Problem with PIR's implimentation of DNSSEC, is that it has yet to support SHA2 hashed certs, and PIR has yet to clean up the many porn sites in their DN database.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above