S'pore facility to secure country top-level domains

update Singapore one of three locations globally to cryptographically sign country-code top-level domains using DNSSEC protocol, which promises greater assurance of Web site authenticity for Net users.
Written by Vivian Yeo, Contributor

update SINGAPORE--The Internet Corporation for Assigned Names and Numbers (ICANN) unveiled Wednesday the first of three new cybersecurity facilities that will provide secure digital signatures based on the DNSSEC (Domain Name System Security Extensions) for country-code top-level domains (ccTLDs).

Located within the National University of Singapore, the facility is managed by non-profit organization, Packet Clearing House (PCH), and boasts the same physical, network and procedural security used by ICANN for signing the root servers. The other two facilities are located in Zurich, Switzerland and San Jose, Calif.

Speaking at a media briefing, Jeff Moss, chief security officer at ICANN, said 70 countries, to date, have adopted the DNSSEC protocol. Cryptographic master keys for another 14 countries were created on Monday as part of ICANN's 41st Public Meeting held in the city-state.

ICANN expects the vast majority of ccTLD zones to be signed by year-end .

According to Moss, prior to DNSSEC, queries to the Internet's addressing system were done over "mostly insecure protocol", with no guarantee "the answer you get is the answer you expected". With cryptographic signing, Internet users will be able to have a much higher level of confidence, resulting in a stronger trust of the Internet that could enable "new things not possible before", he said.

Bill Woodcock, research director at PCH, noted that users of PCH's service are national governments and "often have little reason to trust each other". The three countries where the facilities are located were chosen because they were "not particularly aligned with each other and...relatively trusted by many countries", he added.

The model also allows little room for countries to tamper with the system. Woodcock explained: "Every time a signature is done, it is compared between the different locations. If any location does not agree with the others, we show an error [and] we publish the fact that there was a difference--that's made public for the world to see."

All three premises are identical--hardened facilities with five levels of physical security surrounding a set of cryptography keys held on behalf of the 14 countries, he noted. The responsibility for physical and cryptographic security is divided between two teams.

Overall costs for a facility of this nature would have amounted to "several million of dollars", said Woodcock, with a significant amount going to space rental. Hosts for the three facilities--NUS, SWITCH in Switzerland and Equinix in the United States--donated the floor space to PCH.

The cost of setting aside the space for the Singapore facility was about S$20,000 (US$16,130), revealed Tommy Hor, director of the NUS Computer Center.

Work is still ongoing for the facilities, according to Woodcock, where the physical security setup for the Singapore and San Jose facilities will be completed in August and September, respectively. The Zurich facility is still under construction and will be fully operational in October.

Editorial standards