5 countries gain DNS Security Extensions

Five country code top-level domains for countries in Latin America and the Caribbean have been digitally signed to enable use of the Domain Name System Security Extensions.

The signing on Oct. 5, done by Afilias Ltd. of Dublin, a provider of Internet registry and back-end services, will enable validation of DNS query responses. It is part of an effort by the company to deploy DNSSEC to 13 top-level domains by the end of the year.

“Rolling out DNSSEC is critical to the future of the Internet,” said Jim Gavin, Afilias’ director of strategic partnerships and technical standards. “It’s moving very well.”

This month’s signings bring the total to 53, among about 300 top-level domains, that have been signed or are experimenting with DNSSEC. The country code domains that have recently been signed are .ag, used by Antigua and Barbuda; .bz, Belize; .hn, Honduras; .lc, St. Lucia; and .vc, St. Vincent and the Grenadines.

Related coverage:

DNSSEC spreads slowly through government domains

How DNSSEC provides a baseline of Internet security

DNS maps domain names to IP addresses and underlies nearly all Internet activities. DNSSEC enables digital signatures on DNS data and query responses so they can be authenticated with public cryptographic keys, making them harder to spoof or manipulate. It could help combat attacks such as pharming, cache poisoning and DNS redirection, which are used to commit fraud and identity theft and distribute malware.

To be fully effective, DNSSEC must be deployed throughout the Internet’s domains. The 13 root-zone DNS servers have been digitally signed since May. On July 15, the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests. The publication of the trust anchor for the Internet root means it is now possible to begin linking the “islands of trust” that have been created by the deployment of DNSSEC.

Last year, the Office of Management and Budget mandated the deployment of DNSSEC in the .gov domain space, which could contain as many as 4,000 domains. Agencies have begun signing second-tier domains, such as GSA.gov, but as of Oct. 13, 10 months after the deadline for agencies to implement DNSSEC in their domains, just 323 domains had been signed, according to a list maintained by the government of the 868 federal .gov domains and their DNSSEC status.

Determining the exact number of .gov domain names being used by the federal government is not simple because there is no definitive public source. The majority of domains in use appear to be run by state and local governments, with only 1,185 identified as owned by federal agencies.

See an updated snapshot of DNSSEC's .gov rollout here.

The largest top-level domain to deploy DNSSEC to date has been .org, which contains about 8 million domain names. The Internet’s largest domain, .com, with around 80 million registered domain names, is expected to be signed next year.

Afilias has announced Project Safeguard, which is intended to expand the implementation of DNSSEC in top-level domains this year. That effort, along with the signing of .com, could help push DNSSEC to critical mass, creating a demand for Internet service providers to enable DNSSEC on their networks so that digitally signed DNS query responses can be validated for customers. Use of DNSSEC signatures is expected to be available to more than 100 million domains — or nearly half the Internet — by the end of 2011.

“I think we have further to go before we see the benefits broadly visible,” Gavin said of this month’s signings.

There is limited functionality for validating DNSSEC signatures in most consumer products, and although a few ISPs are capable of validating signed responses, the service is not generally available.

“We’re not done yet, but we’re moving along well,” Gavin said. “Right now we’re building out the infrastructure.”