The Public Interest Registry (PIR), which is the .org domain's steward, today signed on to Domain Name System Security Extensions (DNSSEC).
The security extensions help stop spoofing attacks, where cybercriminals produce a doppelganger Web site, among other mayhem, to defraud people out of sensitive information.
DNSSEC does this in three ways:
• Data Origin Authentication - assures that data is received from the authorized DNS server; can protect from impersonation attacks.
• Data Integrity - assures that data received matches data on the origin DNS server, and is not modified during transit; protects from man-in-the-middle type pollution attacks.
• Authenticated Denial of Existence - assures that a "Non-existent" response is valid.
According to PIR's blog, signing onto DNSSEC means:
We are now cryptographically signing the authoritative data within the .ORG zone file. This process adds new records to the zone, which allows verification of the origin authenticity and integrity of data. In addition to zone signing, key maintenance will also be tested to include key generation, storage, and rollover. The final component of this initial test phase will be to sign domain names. We will test domain names in a controlled environment, starting first with a small set of names in which we will manually insert DS records into the zone. The focus of this first phase is proper testing to mitigate risks and capture lessons learned to share industry wide.
The security boost, however, isn't expected to fortify customers using the .org top-level domain until 2010.
"I don't expect it to be this calendar year," Alexa Raad, CEO of PIR, told Network World. "This is about learning and sharing our learning with industry."
According to Network World, the U.S. government has already started to implement DNSSEC across it's .gov domain this year.