Tighter security coming for .org names

DNS Security Extensions will protect millions of non-profit organizations and their donors from 'cache poisoning' hacking attacks

The Public Interest Registry will add an extra layer of security known as DNS Security Extensions (DNSSEC) to the .org domain in June -- a move that will protect millions of non-profit organizations and their donors from hacking attacks known as cache poisoning.

In a cache poisoning attack, traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

Comcast launches first public U.S. trial of advanced DNS security

DNSSEC is an emerging Internet standard that prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption

The Public Interest Registry announced Thursday that it will support DNSSEC for first and second-level .org domain names. With nearly 8 million registered domain names, the .org domain is one of the Internet's largest generic top-level domains to deploy DNSSEC.

"When we first announced last year the signing of our zone, we showed that DNSSEC was not a utopian vision, but that it was needed for the future of the Internet," says Alexa Raad, CEO of The Public Interest Registry. "Everything runs on DNS. If you believe that there are going to continue to be more and more applications that run on DNS, then you have to think about DNSSEC."

Raad expects operators of .org Web sites to rapidly deploy DNSSEC.

"There are credit unions that use .org…and there are non-profit organizations that are in fundraising and have been targets for attacks, some of them quite public," Raad says. DNSSEC "will allow our customers who require security to have it."

The Public Interest Registry and its back-end services provider Afilias have been testing DNSSEC since last summer. They are working with 10 registrars to sign DNS queries. Several high-profile Web sites including www.ietf.org run by the Internet Engineering Task Force and www.isoc.org run by the Internet Society are signing their domains as part of the .org domain's ongoing DNSSEC trial.

"There have not been any significant problems," says Jim Galvin, director of strategic partnerships and technical standards with Afilias. "Testing has done for us what it's supposed to do. We've been engaging with all of the parties in terms of deploying DNSSEC and ensuring that it's ready for the broader community."

DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .org and other top-level domains, down to the servers that cache content for individual Web sites. All of these pieces must be in place for DNSSEC to protect an individual Web site.

The timing of .org's deployment of DNSSEC is ideal, given that the Internet's root zone will be signed on July 1.