The number of top-level domains on the Internet is set to increase dramatically over the next few years. Today's familiar .com, .org and .info addresses are going to be supplemented with dozens or hundreds of new extensions such as .blog, .sport, .london, .music and .gay. This rapid expansion will happen under the new generic top-level domain (gTLD) program launched by ICANN, the non-profit organization that oversees the Domain Name System (DNS). The ability of any company to apply for a new “dot.anything” or “dot.brand” gTLD is expected to bring increased consumer choice and technological innovation to the Internet's addressing systems. But will it also spur the adoption of enhanced Internet security? There are good reasons to believe it may, particularly within the addressing system itself.
ICANN's rulebook for prospective new gTLD managers, known as the Applicant Guidebook, contains a requirement to support Domain Name System Security Extensions (DNSSEC) as a mandatory condition of every new gTLD application. Today, whether to implement DNSSEC is a matter of choice for domain name registries. Companies such as VeriSign, which runs .com, and my own employer, Afilias, which runs .info, have already deployed the technology. For the gTLD managers of the future, though, it will be a matter of contractual compliance.
As I’ve previously discussed, DNSSEC is the next-generation domain name standard that brings the all-important element of trust to Internet addresses, something they have woefully lacked until now. A domain that is cryptographically signed using DNSSEC is protected against man-in-the-middle attacks that criminals could, for example, use to intercept Web transactions destined for a bank or e-commerce site. Like the DNS itself, the chain of trust is hierarchical, leading all the way up to the Internet root, or "trust anchor," which is signed by ICANN using a set of well-protected private keys.
Accelerating the roll-out
Today, the global DNSSEC deployment initiative is still young. There are currently more than 300 top-level domains on the Internet; most of them are country-code spaces such as .in and .uk. Only about 70 have fully deployed DNSSEC. The number of second-level domains (such as “example.com”) that have signed their zones is still very small.
But when ICANN’s gTLD program opens the doors for hundreds of new extensions, the number of registries could easily double within a couple of years, and every single new gTLD will be DNSSEC-enabled from the start. If the signing of .org in 2009 was the first watershed moment for DNSSEC deployment, the signing of the DNS root a year ago was the second, and the signing of .com this spring the third, then the rollout of new gTLDs over the coming two years will be the fourth.
The requirement for new gTLDs to offer DNSSEC will have the effect of compelling existing infrastructure providers to add the security protocol to their existing domain extensions. For example, country-code domain managers that do not already support DNSSEC may decide to apply for gTLDs that represent their nation's capital city or a region of the country with a distinct cultural identity. These extensions will likely be managed on the same registry infrastructure as the legacy ccTLD, which will have to be upgraded to support DNSSEC since registry operators who do not offer DNSSEC to their clients will not be allowed to support any new gTLD.
Secure online banking
While top-level DNSSEC will be mandatory for all new gTLD registries, individual domain registrants will be under no obligation to sign their own second-level domains. In other words, while an approved "dot.anything" registry will be contractually obliged to join the global chain of trust, its customer — the registrant of "example.anything" — will not necessarily also have to engage. But new registries will be able to set their own policies governing how registrations are made, and you can expect that some will choose to pass on their own DNSSEC obligation to their customers.
Some gTLD applicants will promise to adhere to a higher degree of security to appeal to their target customer bases. Take, for example, a ".bank" or ".broker" extension. Such a domain, if approved by ICANN, would very likely be restricted to known, identity-verified banks or brokers, in the way that the .museum and .aero domains are carefully restricted to museums and the aviation industry. Rather than simply enter an email address and credit card number, which is often the sole requirement for registering a .com domain, .bank registrants could be thoroughly vetted before being given their names. The registry operator could market the top-level domain as a secure address for online banking, safe from phishing or other types of cybercrime, with DNSSEC as an intrinsic component that — as application developers begin to support DNSSEC — could become an additional trust icon in browsers and other Internet applications.
|Read Ram's Other Featured Columns on Domain Security and More Here|
To raise awareness of the need for higher-security DNS among businesses, developers and regular Internet users, DNSSEC is in need of some high-profile early adopters. While this kind of support will be critical in the TLDs we have today, there are few DNSSEC awareness-raising vehicles better than a top-level domain designed and promoted with security in mind, and which prominently supports and encourages DNSSEC at the second level, on all registrants.
New gTLDs will not change the DNS security landscape overnight, but the fact that DNSSEC will be required of them is an important driver for the technology. It will push adoption among registry operators, encourage innovation at the application level, and provide the opportunity to create security-aware addressing schemes.