The Public Interest Registry (PIR), operators of the .ORG TLD, have issued a 90-day notice to registrars informing them that the plans to rollout DNSSEC on .ORG domains are moving forward as planned and will be complete by June 30, 2010.
The push by PIR to introduce DNSSEC to .ORG will make them the first generic TLD (top-level domain) to deploy the security measure. On Wednesday, PIR said in a statement that they will start accepting second level signed .ORG zones in June, the final step before the process is fully complete.
DNSSEC will help mitigate attacks such as cache poisoning, where traffic is directed by an attacker from one site to another without anyone being the wiser. This type of attack was made famous by Dan Kaminsky in 2008. DNSSEC helps with this because it will allow Web sites to verify their DNS and IP addresses with digital signatures and public-key encryption.
DNSSEC testing for PIR started in 2008, a phase of testing that PIR called “friends and family” when The Tech Herald spoke to them last month for a general overview of .ORG and DNSSEC. The phase itself, PIR said, helped them test DNSSEC itself but also get over some challenges related to zone management, as well as rollover.
PIR has had some interesting times since they won re-delegation of 2.7 million .ORG domains from ICANN in 2002. During our conference call with three of PIR’s executives, Lauren Price, Thuy LeDinh, and Lance Wolak, we learned that .ORG is more than the generic add-on domain name picked when someone chooses a domain name. PIR has moved to shape .ORG into the go-to TLD when starting a community based initiative or non-for-profit organization.
From 1985 to 2002, .ORG domains accounted for 2.7 millions domains online. After PIR won the ICANN contract, they have helped boost .ORG to over 8 million domains, reporting an 11-percent growth in Q1 2009. With the addition of DNSSEC, they expect the offering will entice organizations and community-based sites to rely on them for not just the brand itself, but for a little peace of mind as well.
However, we asked why .ORG has gained momentum, considering that for the most part the TLD is still seen as an add-on when purchasing a .COM or .NET domain. “Hard for us to say, but we were obviously a byproduct of the Internet boom,” LeDinh commented.
LeDinh and Price added that in addition to brand protection, they are seeing more and more businesses use the .ORG TLD to offer a central location for charitable causes and foundations, not to mention two well-known sites are parked squarely on .ORG – wikipedia.org and craigslist.org – both of which will benefit from DNSSEC if they opt to use it.
We asked MarkMonitor for any data on businesses that purchase .ORG domains for brand protection, and the answer from Frederick Felman, the Chief Marketing Officer for MarkMonitor, mirrored PIR. “Many large rights holders register their core brands in .org, not only to protect them from squatters, but also to reserve them for potential future use,” Felman said.
Price explained to us that for the most part, they see a range of clients utilizing .ORG for things such as the previously mentioned charity presence or not-for-profit, but educational, arts, cultural, and sorts related organizations as well. There is an added bonus of investment, if you consider that poker.org sold recently for over one-million dollars. Before that, engineering.org sold for $198,000 USD.
While PIR will have DNSSEC online by the end of June, VeriSign is reporting that barring any unforeseen issues, the .EDU, .NET, and .COM TLDs will get DNSSEC by 2011. The plan is to have root servers signed in July, and from there VeriSign will work with organizations to sign .EDU domains by the second quarter of 2010, .NET by fourth quarter 2010, and .COM by first quarter 2011.
Overall, PIR told us, adoption of DNSSEC is moving along nicely, noting that for it to work, it needs to be an industry wide effort, an all or nothing effort if you will. They also gave kudos to Comcast for their plan to deploy DNSSEC, adding that their efforts might encourage other ISPs to do the same.
In February, Comcast said that they plan to implement DNSSEC for the domains that they manage, comcast.net, comcast.com, and xfinity.com by Q1 2011, with luck, maybe even sooner than that. They also offered customers a chance to take part in their DNSSEC trial by changing their DNS settings to 184.108.40.206 and 220.127.116.11.
Comcast’s announcement, as well as PIR’s own announcement regarding DNSSEC implementation, is an “important signal” said Alexa Raad, PIR’s CEO in a statement, “…not only for application providers, ISPs, and Telcos, but also for registrars to begin planning for their implementation now.”
While DNSSEC will certainly help mitigate some of vectors of attack, such as cache poisoning, it is by no means a silver bullet. However, with PIR kicking off their own deployment, and VeriSign wrapping things up, DNS-based attacks will get harder to pull off, and that’s good news for everyone.
PIR has more information on not just their DNSSEC implementation, but reports and data from other sources such as Nominet and a tutorial on DNSSEC from NI Net Labs. Head here for more details.