Nominet, the U.K.’s domain name registry, will begin implementing a security protocol on Monday designed to protect the DNS (Domain Name System).
The system, called DNS Security Extensions (DNSSEC), uses public key cryptography to digitally “sign” the DNS records for Web sites. It is designed to stop attacks such as cache poisoning, where a DNS server is hacked, making it possible for a user to type in the correct Web site name but be directed to a fake Web site.
In 2008, security researcher Dan Kaminsky showed it was possible to poison a cache in just a few seconds with a special kind of attack. Almost every organization running a DNS server have deployed a patch, but DNSSEC is a long-term fix.
Nominet will begin signing the “.uk” top-level domain beginning Monday, a process which will conclude a week later, said Simon McCalla, director of IT at the registry.
Interestingly, there are just a little over a dozen Web sites that use “.uk” since a decision was made more than a decade ago to close off registrations, he said. Much more common are second-level domains, such as “.co.uk” and “.org.uk,” among others.
However, signing the “.uk” zone is crucial to building the so-called “chains of trust” required for full DNSSEC implementation, McCalla said. Cryptographic keys used to sign Web sites in different zones are validated by other zones.
That signing culminates at the “root zone,” or the 13 authoritative nameservers located around the world that contain the master list of where computers can go to look up an address in a particular domain such as “.com.” The DNS translates Web site names, such as www.idg.com into a numerical IP (Internet Protocol) address, which is used by computers to find a Web site.
Transitioning to DNSSEC can be difficult and expensive, although open-source developers have created a toolkit, called OpenDNSSEC, to ease the transition. Nominet, which is using the software, helped develop it along with other entities such as NLnet Labs and SIDN, the “.nl” registry, McCalla said.
“We’ve had to invest quite a bit of time and effort in getting this right,” McCalla said. “We’ve invested a lot in the OpenDNSSEC software.”
Nominet will begin signing “.co.uk” — comprising more than 8 million Web sites — later this year, working with any entity that operates a nameserver, as their software will have to be upgraded for DNSSEC.
So far, other entities have been slow to upgrade. McCalla said many appear to be waiting for the root zone to be signed. “I expect we will see a much greater awareness this year,” he said.