We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,678 News Articles

Nominet rolls out DNS security protocol

DNSSEC stop hackers from redirecting web users

Nominet has begun implementing a security protocol designed to protect the DNS (Domain Name System).

According to the UK's domain name registry, DNS Security Extensions (DNSSEC), uses public key cryptography to digitally 'sign' the DNS records for websites.

It is designed to stop attacks such as cache poisoning, where a DNS server is hacked, making it possible for a user to type in the correct website name but be directed to a fake site.

In 2008, security researcher Dan Kaminsky showed it was possible to poison a cache in just a few seconds with a special kind of attack. Almost every organisation running a DNS server have deployed a patch, but DNSSEC is a long-term fix.

Nominet will start signing the '.uk' top-level domain this week, a process which will conclude a week later, said Simon McCalla, director of IT at the registry.

Interestingly, there are just a little over a dozen websites that use '.uk' since a decision was made more than a decade ago to close off registrations, he said.

Much more common are second-level domains, such as '.co.uk' and '.org.uk', among others.

However, signing the '.uk' zone is crucial to building the so-called "chains of trust" required for full DNSSEC implementation, McCalla said.

Cryptographic keys used to sign websites in different zones are validated by other zones.

That signing culminates at the 'root zone', or the 13 authoritative nameservers located around the world that contain the master list of where computers can go to look up an address in a particular domain such as '.com'.

The DNS translates website names into a numerical IP (Internet Protocol) address, which is used by computers to find a website.

Transitioning to DNSSEC can be difficult and expensive, although open-source developers have created a toolkit, called OpenDNSSEC, to ease the transition.

Nominet, which is using the software, helped develop it along with other entities such as NLnet Labs and SIDN, the '.nl' registry, McCalla said.

"We've had to invest quite a bit of time and effort in getting this right," McCalla said. "We've invested a lot in the OpenDNSSEC software."

Nominet will begin signing '.co.uk' - comprising more than 8 million websites - later this year, working with any entity that operates a nameserver, as their software will have to be upgraded for DNSSEC.

So far, other entities have been slow to upgrade. McCalla said many appear to be waiting for the root zone to be signed. "I expect we will see a much greater awareness this year," he said.

See also: Security group converges to fight internet abuse


IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

See Glasgow 2014 in UHD as history is made