It seems that after 15 years of predicting better security for the Domain Name System, the time has finally come for the implementation of DNSSEC, the technology that adds extensions to DNS, to provide origin authentication of said data and its integrity.
According to Technology Review, Verisign, the company that manages the .com and .net registries, announced yesterday that it plans to start testing the mechanism soon and to finish deploying it across those two domains by 2011. The first step towards the all-encompassing application of this security technology is announced for the 1st of December, when ICANN (Internet Corporation for Assigned Names and Numbers) will create the top-level key for verifying domain names.
How does the system work? DNSSEC simply adds cryptographic information to domain records, so that malicious persons can’t spoof DNS entries and trick unsuspecting Internet users by making them believe they find themselves on a safe domain instead of one being used to defraud them of personal information.
You might wonder about why it took so long for it to start gaining ground. The answer to that question is, of course, money. To implement DNSSEC, the companies have to change servers and software and, in doing so, incur more costs, so they have been reluctant to start the change.
The implementation of DNSSEC will create a trust system, a hierarchy at the top of which ICANN, the US Department of Commerce and Verisign will sit and manage a master key that will validate lower level keys, which will in turn be used to sign other domains for which the holders of the keys are accountable for.
It is interesting to note that Verisign is not a pioneer in this field. Sweden’s national domain .se was the first ccTLD in the world that implemented DNSSEC some three years ago. Puerto Rico, Mexico, Brazil, Bulgaria, and the Czech Republic followed suit. Also, 5 months ago The Public Internet Registry has begun cryptographically signing the .org TLD using DNSSEC.