Protection of UK Internet users is a key strategic priority for Nominet and we are committed to ensuring that .uk remains a safe and trusted space.

As part of this strategy we invest significant resources in securing the Domain Name System (DNS) and we are heavily involved in the definition of standards and the promotion of Domain Name System security extensions (DNSSEC).  This is achieved by working with organisations, such as the Internet Engineering Task Force (IETF); DNS Operations, Analysis, and Research Center (DNS-OARC); Internet Corporation for Assigned Names and Numbers (ICANN) and the Registration Infrastructure Security Group (RISG).  We are authors of several IETF standards on DNS and DNSSEC, and have authored reports for the ICANN Security and Stability Advisory Committee.

Open source tools to make DNSSEC implementation easier

In collaboration with other industry leaders, Nominet has played a significant part in developing OpenDNSSEC, a piece of open source software that automates the implementation of DNSSEC, making it easier for registrars to deploy. We also fund and work on projects such as the development of BIND, the leading DNS software application, which is also capable of deploying DNSSEC.  This ensures that not only are .uk's systems protected, but that registrars are able to offer DNSSEC solutions to their clients and other registries are able to secure their own domains, creating a more secure global DNS infrastructure.

DNSSEC: signing the .uk zone

A significant step forward in this strategy took place in March, when we added DNSSEC information to the .uk Top Level Domain. DNSSEC uses public-key cryptography and digital signatures to prove that the information received in response to a DNS query came from the nameserver to which the query was directed and was not modified in transit. This prevents hackers from tricking consumers’ computers into accepting false information, re-directing them to spoof web sites where they might be duped into revealing sensitive information. DNSSEC can also help prevent the redirection and interception of email, which can be harder to detect than a spoof web site.

This is a significant step for Nominet and an important statement internationally that we are committed to furthering DNS Security around the world. Once the root zone of the Domain Name System (the top-level zone of the whole DNS hierarchy) is fully signed in July this year, we should see a significant take-up by both other registries and registrars as they implement DNSSEC.

Now that we have completed our first phase of DNSSEC deployment by putting full keys into the UK zone, any of the external second level domains (ac.uk, gov.uk etc) can start to implement DNSSEC to further secure their zones and the domains within.

Work on securing our own second level domains (.co.uk, .me.uk etc) is ongoing.  Owing to the way we manage these zones – using dynamic updates to ensure that the time taken to publish changes to the zone is a minimum - this will be a more complex project. We are aiming towards signing .co.uk in the early part of 2011.

DNSSEC: spreading the word

The signing of co.uk will also involve a significant UK awareness and marketing campaign aimed at explaining DNSSEC and its benefits.  A first step towards that campaign took place on 29 March with the event “Securing the Domain Name System?.  Jointly organised with Infoblox, this had as keynote speaker Cricket Liu, author of the landmark O’Reilly book “DNS and Bind?.  Ably supported by members of Nominet’s Advanced Projects Team, the event featured a series of talks on aspects of DNSSEC, ending up with a description of the process involved in signing .uk,  followed by a tour of Nominet’s offices in the afternoon.

You can read more information about the event here.

What's next?

We will be organising more events on DNSSEC for our registrars, to introduce them to the implications and opportunities of this new technology. We will keep you posted of further events and other DNSSEC news via our web site and this newsletter.

Read other stories