Manage
DNSSEC Brings A More Secure Internet to Europe
Several European domain name registries as well as registries on every continent have enabled DNSSEC (Domain Name System Security Extension) while several more are planning to enable the security feature in coming months.
DNSSEC was designed to protect the internet from certain attacks, such as DNS cache poisoning, and came about as the original design of the DNS did not include security, an issue that has become more important in recent years.
The security protocol was designed by the Internet Engineering Task Force, and according to DNSSEC.net it is a set of extensions to the DNS that provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. However it does not deal with availability of the DNS or confidentiality of data.
The benefits to the internet user includes, as the Public Interest Registry (PIR) explains, the ability to thwart the increasing predominance of attacks like pharming, cache poisoning, and DNS redirection that have been used to commit fraud, distribute malware, and/or identity theft. DNSSEC is an upgrade to the internet infrastructure and protects internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.
The added security for internet users allows for a more secure internet, which is especially important for banks and other financial services providers, for example.
As attacks on the domain name system becoming more prevalent, it is becoming more important to enable DNSSEC. Attacks can include DDOS (distributed denial of service) attacks on company websites or even attacks on vital internet links, such as registrars or registries. Such attacks can cause huge problems, including financial, leading to websites being down for extended periods.
In Europe, one of the domain name registries to have enabled DNSSEC was SWITCH, the registry for .CH (Switzerland) and .LI (Liechtenstein). SWITCH enabled DNSSEC in a public ceremony at the Domain Pulse conference in Luzern in February this year.
The world’s largest country code registry, DENIC (.DE, Germany), have said they are on schedule to prepare a test bed for registrars and this phase will run until 2011, according to Sabine Dolderer, the company’s CEO. While nic.at (.AT, Austria) will not be introducing DNSSEC in 2010. Richard Wein, CEO of nic.at believes there is not yet the demand or the market for it in .AT. However they will be watching developments elsewhere and will be preparing for DNSSEC internally to have it ready for deployment when there is a demand.
Of the gTLD registries, the registry for .ORG, PIR, is likely to be the first to enable DNSSEC. It plans to enable DNSSEC in June while ICANN plans to have all root servers signed with DNSSEC by mid-2010.
Others to have enabled DNSSEC are .PT (Portugal), .SE (Sweden) and .CZ (Czech Republic).