UK registry to implement DNS security protocol
- 01 March, 2010 03:34
- Comments 1
Nominet, the U.K.'s domain name registry, will begin implementing a security protocol on Monday designed to protect the DNS (Domain Name System).
The system, called DNS Security Extensions (DNSSEC), uses public key cryptography to digitally "sign" the DNS records for Web sites. It is designed to stop attacks such as cache poisoning, where a DNS server is hacked, making it possible for a user to type in the correct Web site name but be directed to a fake Web site.
In 2008, security researcher Dan Kaminsky showed it was possible to poison a cache in just a few seconds with a special kind of attack. Almost every organization running a DNS server have deployed a patch, but DNSSEC is a long-term fix.
Nominet will begin signing the ".uk" top-level domain beginning Monday, a process which will conclude a week later, said Simon McCalla, director of IT at the registry.
Interestingly, there are just a little over a dozen Web sites that use ".uk" since a decision was made more than a decade ago to close off registrations, he said. Much more common are second-level domains, such as ".co.uk" and ".org.uk," among others.
However, signing the ".uk" zone is crucial to building the so-called "chains of trust" required for full DNSSEC implementation, McCalla said. Cryptographic keys used to sign Web sites in different zones are validated by other zones.
That signing culminates at the "root zone," or the 13 authoritative nameservers located around the world that contain the master list of where computers can go to look up an address in a particular domain such as ".com." The DNS translates Web site names, such as www.idg.com into a numerical IP (Internet Protocol) address, which is used by computers to find a Web site.
Transitioning to DNSSEC can be difficult and expensive, although open-source developers have created a toolkit, called OpenDNSSEC, to ease the transition. Nominet, which is using the software, helped develop it along with other entities such as NLnet Labs and SIDN, the ".nl" registry, McCalla said.
"We've had to invest quite a bit of time and effort in getting this right," McCalla said. "We've invested a lot in the OpenDNSSEC software."
Nominet will begin signing ".co.uk" -- comprising more than 8 million Web sites -- later this year, working with any entity that operates a nameserver, as their software will have to be upgraded for DNSSEC.
So far, other entities have been slow to upgrade. McCalla said many appear to be waiting for the root zone to be signed. "I expect we will see a much greater awareness this year," he said.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
-
Dymocks taps Android for e-book, tablet move
-
Droid Razr Maxx: An Android smartphone for big talkers
-
Lenovo ordered to pay €1920 for making French laptop buyer pay for Windows too
-
Wikileaks suspect to face US court-martial
-
Wikileaks suspect to face US court-martial
-
Teach Yourself Visually Windows 7
-
Windows 7 for Seniors for Dummies®
-
Microsoft Office
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Dummies®
-
Office 2007 for Dummies
-
Office 2007 All-In-One Desk Reference for Dummies
-
Computers for Seniors for Dummies, 2nd Edition
-
MYOB Software for Dummies 6E Australian Edition
Get exclusive access to Techworld news, reports & analysis. 
Comments
CISO
DNS Security in Organizations networks
Admins at a big orgs should scan their networks now, make sure their DNS servers are responding well, and make sure they do NOT answer to anyone at the world,
want to know why it's important? read here:
http://sites.google.com/site/dnslocator/
you might find name servers you were not aware to their existence in your farm!
Post new comment