UK domain gets DNS Security Protocol protection

Nominet has begun introducing an encryption-based protocol to the top-level .uk domain to protect against cache poisoning attacks

Internet registry Nominet has begun introducing DNS Security Extensions, or DNSSEC, a security protocol that should help protect the UK's domain-name system from malicious misdirections.

On Monday, the company began applying the protocol to the top-level .uk domain. DNSSEC, also known as encrypted DNS, uses digital signatures to guarantee to name servers that the DNS data they receive has not been intercepted or tampered with. In this way, it is meant to help stop hackers who try to redirect traffic from genuine websites to their own spoof websites.

"It's a very symbolic day for us. It shows we're very serious about this," Simon McCalla, director of IT for Nominet, told ZDNet UK. "It's a step towards creating a safer UK internet."

The registrar has started the implemention on five of the 11 UK nameservers, which will be specially monitored for a week. The DNSSEC keys will be obscured during this time, and DNSSEC information will not be validated. On 8 March, if all goes according to plan, the obscured keys will be replaced by real keys, and the protocol will be rolled out to all the .uk name servers, Nominet said.

The .uk domain is used by organisations such as the armed forces, the police, universities and the government. While second-level domains are not included in this initial rollout, Nominet said it intends to bring in the eight million domains in a separate project in early 2011. DNSSEC protection will extended to, and in the future, the company added.

Businesses do not need to take any direct action because of Nominet's DNSSEC rollout, McCalla said.

Without DNSSEC, it is possible for a hacker to use techniques such as cache poisoning to redirect traffic from a genuine site to their own fake site, although many organisations have deployed patches to stop such attacks. These attacks have existed for around a decade: one was demonstrated amid much publicity at the BlackHat conference in 2008 by researcher Dan Kaminsky.

While there have been no serious DNS-based incidents in the UK, one South American bank had been hit, McCalla said. "As e-commerce grows, this will be an area that people will try to exploit, so we want to fix it now," he said.

DNSSEC has been in development for years, having been bogged down by discussions at standardisation body the Internet Engineering Taskforce.

The inventor of DNS, Paul Mockapetris, acknowledged the weaknesses of the system some time ago, saying more emphasis had been placed on getting it off the ground than building in security. He has recommended the implementation of DNSSEC.

The protocol has already been introduced for the top-level .org domain, and .com is expected to have it added in 2011.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All