DNSSEC for .au at least a year off
United States domain registrar Go Daddy spent the last 12 months bracing for the new Domain Name System Security Extensions (DNSSEC) specification, but it will be at least a year until it is available in Australia.
(Shining armour image by Kenny Louie, CC2.0)
DNSSEC, which late last month went live for .com domains, is hailed as a means to improve information security on the internet.
It works by certifying domain names and corresponding IP addresses with digital signatures and public-key encryption. It means computers will be able to identify forged DNS responses because they will not match signatures.
This will prevent exploits such as DNS cache poisoning attacks — used to silently point users to malicious websites — and possibly legitimate redirections used to block access to sites by web content filters.
Awareness of DNSSEC is low, but there are still Australians eager to adopt the service for .au domains. Unfortunately, they will likely have to wait until 2012 at the earliest, according to the Australian Domain Name Administrator auDA, which has to give the specification a tick before it can be activated for Australian websites.
"We are in the final stages of DNSSEC testing for .au," chief executive officer Chris Disspain told ZDNet Australia, adding that the remaining testing will likely take about a year.
Only a handful of Australian domain registrars are serving DNSSEC for the two dozen top level domains like .com, .edu and .org that are already certified.
Australia's largest, Melbourne IT, said that it will offer DNSSEC for .au as soon as it is cleared.
"We are good to go when auDA comes out with it," said chief strategy officer Dr Bruce Tonkin.
Yet even if registrars are willing to offer DNSSEC, website owners will still need to opt for it and pay a fee for the privilege. This will be a tough sell given that most people are either not aware of DNSSEC or just consider it boring. This situation is exacerbated by an inconvenient sign-up method where website owners have to ring registrars and can't just opt-in online, something that Tonkin said was uniform across the industry.
Because of these issues, Melbourne IT has seen miniscule take-up of the service.
To push people to buy DNSSEC, Tonkin says registrars including Melbourne IT will need to automate the sign-up and promote the service.
"Because there is very little use of DNSSEC, most registrars don't have an automated interface — you can't just login and enter the digital signature and the registrar will look after it."
Tonkin said that the fee to adopt DNSSEC will at some point be absorbed as part of the price of opening a domain once the specification becomes a commodity.