[AfrICANN-discuss] Security tightened for .org

Anne-Rachel Inné annerachel at gmail.com
Tue Jun 2 16:54:52 SAST 2009 

[image: From Network World:]

This story appeared on Network World at
http://www.networkworld.com/news/2009/060209-public-interest-registry-org.html

 Security tightened for .org Public Interest Registry runs largest-ever
domain to adopt DNS security extensions
 By Carolyn Duffy
Marsan<http://www.networkworld.com/Home/cduffy%20marsan.html>, Network
World , 06/02/2009
 Sponsored by:

The Public Interest Registry will announce today that it has begun
cryptographically signing the .org top-level domain using DNS security
extensions known as
DNSSEC<https://www.networkworld.com/community/taxonomy/term/18392>.


DNSSEC is an emerging standard that prevents spoofing attacks by letting Web
sites verify their domain names and corresponding IP addresses using digital
signatures and public-key encryption.

DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities
including the Kaminsky
Bug<http://www.networkworld.com/news/2008/070808-dns-flaw-disrupts-internet.html>,
a DNS flaw discovered last summer that allows a hacker to redirect traffic
from a legitimate Web site to a fake one without the user knowing.

"DNSSEC is a needed infrastructure upgrade," says Alexa Raad, CEO of the
Public Interest Registry (PIR). "It has passed the threshold of being a
theoretical opportunity to being a practical necessity. The question then
becomes: How do we make it work?"

With 7.5 million registered names, .org is the largest domain to deploy
DNSSEC.

Current DNSSEC users include country code domains run by Sweden, Puerto
Rico, Bulgaria, Brazil and the Czech Republic.

"Us signing the zone is a very important step, but it's also a symbolic
step," Raad says. "A large [generic top-level domain] has now signed their
zone. It will signal to all the other players in the chain that it is time
to work very seriously on the software and applications to make DNSSEC
viable in the near future."

PIR announced plans to deploy DNSSEC last June, and in December it vowed to
share its experiences with members of the DNSSEC Industry
Coalition<http://www.networkworld.com/news/2008/120908-dns-security.html?page=1>.
The coalition includes leading domain name registries such as VeriSign,
NeuStar and Afilias as well as DNS software providers NLnet Labs, Secure64
and InfoBlox.

Raad says it's important for PIR to share its experiences with DNSSEC
because "this is not something that one actor can take on. It does take a
village, to borrow a phrase, to do it properly."

One recommendation that PIR is making to the industry is that DNSSEC
deployments use the newer NSEC3 algorithm rather than the older NSEC, which
is less secure and requires more
processing<http://www.dnssecreport.com/DNSSECReport/Content.aspx?SID=8>.


PIR also is prompting the DNSSEC Industry Coalition to develop operational
procedures such as how to transfer domains from a register that supports
DNSSEC to one that doesn't.

"We take this as an immense responsibility," Raad says. "We want to make
sure that prudence and caution take way over haste" with our DNSSEC
deployment.

On June 2, PIR will announce that it is signing the .org domain with NSEC3
and that it has begun testing DNSSEC with a handful of registrars using
first fake and than real .org names. PIR plans to keep expanding its testing
over the next few months until the registry is ready to support DNSSEC for
all .org domain name operators.

Raad says she expects full-blown DNSSEC deployment on the .org domain in
2010.

"I don't expect it to be this calendar year," she says. "This is about
learning and sharing our learning with industry."

The good news for .org domain name holders is that PIR's DNSSEC testing and
deployment won't affect their day-to-day operations.

"It's important to note that .org domain holders don't have to do anything,"
Raad says. "Their domain names will function as usual."

Raad says enterprise network managers should start asking their ISPs, domain
name registrars and DNS vendors what they are doing to support DNSSEC.

First envisioned in 1995, DNSSEC efforts have ramped up dramatically since
last summer when the Kaminsky bug was discovered.

The U.S. federal government is deploying DNSSEC across its .gov
domain<http://www.networkworld.com/news/2009/020909-dns-security-deadline.html?page=1>this
year, with plans for all sub-domains to be signed by the end of 2009.

VeriSign has committed to deploying DNSSEC across .com and
.net<http://www.networkworld.com/news/2009/022409-verisign-dns-security.html?page=1>by
2011.

But the Internet engineering community is waiting for the U.S. federal
government to deploy DNSSEC across the root
zone<http://www.networkworld.com/news/2008/112508-dns-root.html>.


More DNSSEC news is anticipated next week because the DNSSEC Industry
Coalition is hosting a
symposium<http://pir.org/index.php?db=content/News&tbl=Press&id=24>in
Washington D.C. June 11 and 12 to discuss DNSSEC deployment issues
including how best to sign the root zone.

All contents copyright 1995-2009 Network World, Inc.
http://www.networkworld.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090602/c047b3a5/attachment.htm

More information about the AfrICANN mailing list