Afilias, which operates .info and more than a dozen other Web site extensions, will announce on Monday plans to deploy an emerging standard known as DNSSEC that adds a layer of encryption to the Internet's Domain Name System.
Afilias will deploy DNS Security Extensions (DNSSEC) on 13 of the domains it operates -- including .info, India's .in and the Hong Kong-based .asia -- by the end of the year. DNSSEC prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
"Afilias supports more different top-level domains across the Internet than any other provider," says Roland LaPlante, senior vice president and chief marketing officer for Afilias."When we start making a move and start expanding the use of DNSSEC, it really makes quite a big difference on the Internet."
The Internet's root servers began supporting DNSSEC on July 15.
Since then, 26 top-level domains -- including .org for non-profits and .edu for universities -- have begun digitally signing DNS look-ups with DNSSEC.
"Afilias supporting DNSSEC is a pretty big increase in the number of top-level domains that support DNSSEC," LaPlante adds.In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.
Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
Next, Afilias will roll out DNSSEC for the following domains before the end of the year: Mongolia's .mn; Seychelles' .sc; Honduras' .hn; Belize's .bz ; Antigua and Barbuda's .ag; St. Lucia's .lc ; St. Vincent and the Grenadines' .vc ; Gibralter's .gi; and Montenegro's .me. Afilias also will support DNSSEC for .aero, a Web site name extension restricted to the aviation industry.
Afilias already helped the Public Interest Registry add DNSSEC support to .org.
"We learned a lot from the .org DNSSEC deployment experience," says Ram Mohan, executive vice president and CTO for Afilias. "When you digitally sign a zone, the size of the zone increases. The size and type of queries that you get increase quite a bit. There are all sorts of infrastructure changes that you have to accommodate on the back end, but the end user doesn't really see that much of a change."
Afilias says it has spent several million dollars upgrading its DNS software -- it runs both the BIND and NSD open source offerings -- as well as adding server capacity to support DNSSEC.
"It's been a multi-million dollar effort on our part," Mohan says. "If you look at the DNSSEC deployment since 2006-2007, all of the DNS infrastructure upgrades, the software, the energy and the time, and you add them all up, it's many millions of dollars…I think we're going to recoup that cost in attracting customers who want to have a dot-info name that is signed."
Afilias also is touting its DNSSEC experience as it markets itself to be the back-end registry operator for hundreds of new top-level domains such as .nyc for New York City and .ibm for IBM Corp. that the Internet Corporation for Assigned Names and Numbers, a policymaking body that oversees the Internet's DNS, plans to support next year.
"For the next round of new top-level domains, ICANN is requiring all registries to be DNSSEC signed from the start," Mohan says. "When we talk to corporations about bringing up a new top-level domain, one of the things that has them liking us over others is that we have four to five years of design, deployment and practical experience doing DNSSEC."
The Afilias announcement is another indicator that DNSSEC is gathering momentum across the Internet now that the root zone is signed.
The U.S. federal government is migrating all .gov Web sites to support DNSSEC, and that effort got a boost in early August when popular content delivery network provider Akamai announced that it was supporting the standard.
Another significant milestone for DNSSEC will occur in December, when VeriSign supports DNSSEC in .net. But the biggest boon for DNSSEC will occur next March, when VeriSign adds this extra layer of protection to the more than 80 million registered .com names.
One potential stumbling block for DNSSEC deployment is that some domain name registrars are lagging in their support of the security standard. Among the U.S. registrars that are leading the charge towards DNSSEC are GoDaddy, Dyn Inc. and NamesBeyond.
In a recent survey of domain name registrars, Afilias found that while 80% believed that DNSSEC was a good idea, only 69% had plans to offer DNSSEC services in 2011 or beyond. Registrars said they were waiting for their customers to demand the service, with 29% saying that a lack of user demand was their top concern regarding DNSSEC deployment.
"Cost does not seem to be much of a factor for registrars," Mohan says. "They want enough time to roll DNSSEC out in a prepared and managed way, and they seem to want it to be market driven. They want to hear their big customers demand it."
Despite these issues, Afilias is urging CIOs and other IT executives to prepare to deploy DNSSEC on the Web sites that they operate.
DNSSEC "is the single largest security upgrade of the core DNS, of the core of the Internet, ever," Mohan says. "It's happening right now at the network level, but in a short time, it will come up at your MIS level, and you have to be ready for it."
Read more about wide area network in Network World's Wide Area Network section.