On Wednesday, .org became the first generic top-level domain to offer its customers improved security using DNSSEC (Domain Name System Security Extensions).
DNS is a key building block of the Internet. The technology’s most important task is translating IP (Internet Protocol) addresses to host names. When DNS was born in the early days of the Internet it was designed to scale up fast, and a trade-off was made between that and security, according to Alexa Raad, CEO at .org. The implementation of DNSSEC will help change that and protect users against man-in-the middle attacks, she said.
For users, this means they can be sure that the site they are visiting is actually run by, for example, their bank, and not a hacker, as long as they go to the correct URL.
For the rollout of DNSSEC to take off, registrars, to which domains turn when they want to implement the technology, will have to be on board. Today, 13 of .org’s registrars can handle DNSSEC, according to its Web site. That Go Daddy, the worlds largest registrar, is one of them, will help create a domino effect and get more registrants to implement DNSSEC, according to Raad.
For the proponents of DNSSEC it’s been a long road. The technology has been under development for almost two decades, but now it is starting to pick up. Last week, the cryptographic key that will be used to secure the Internet’s root zone was created.
The fact that a large generic top-level domain now has moved from testing to actually using DNSSEC is a stamp of approval, which signals that the technology is now ready, according to Jakob Schlyter, IT security advisor at Swedish consultant Kirei. When Verisign starts offering DNSSEC on .net towards the end of the year and then soon after that on .com other domains will follow, he said.