Many of you know that I teach in the security and technology program at Drexel University in Philadelphia, Pa. When I heard that the University of Pennsylvania, a competing school in Philadelphia, was implementing DNSSEC, I was a bit jealous. The university is implementing the technology as part of an Internet2 and Educause early adopters program.
Never heard of DNSSEC? That's okay -- I placed a quick call to two of my friends/colleagues and they told me they hadn't either. Domain Name Security Extensions (DNSSEC) is a set of extensions added to DNS to increase security. Specifically, it was designed to authenticate denial of existence, origin authentication of data, and data integrity.
What is interesting to note is that only the .ORG top-level domain has been officially signed. Back in June, we reported that the .ORG top-level domain is protected against DNS hijacking. There are millions of .ORG domains, but only a small percentage has been signed. The .COM and the .NET top-level domains that are controlled by VeriSign are not yet part of the DNSSEC early adopters program.
What I see as being the biggest advantage of DNSSEC is that digital signatures can be embedded into domain names to verify their authenticity. Think about it: No more cache poisoning attacks or copy-cat domain name attacks. Hopefully, many more organizations will join in the early adopters program or the technology will be deployed on a wider basis.