The UK's domain registry Nominet, is set to implement DNS Security Extensions (DNSSEC), a security protocol designed to protect the DNS (Domain Name System).
DNSSEC uses public key cryptography to digitally "sign" the DNS records for websites. It is designed to stop attacks such as cache poisoning, where a DNS server is hacked, making it possible for a user to type in the correct website name but be directed to a fake website.
In 2008, security researcher Dan Kaminsky showed it was possible to poison a cache in just a few seconds with a special kind of attack. Almost every organisation running a DNS server have deployed a patch, but DNSSEC is a long-term fix.
Nominet will begin signing the ".uk" top-level domain later today, a process which will conclude a week later, said Simon McCalla, director of IT at the registry.
Interestingly, there are just a little over a dozen websites that use ".uk" since a decision was made more than a decade ago to close off registrations, he said. Much more common are second-level domains, such as ".co.uk" and ".org.uk," among others.
However, signing the ".uk" zone is crucial to building the so-called "chains of trust" required for full DNSSEC implementation, McCalla said. Cryptographic keys used to sign websites in different zones are validated by other zones.
That signing culminates at the "root zone," or the 13 authoritative nameservers located around the world that contain the master list of where computers can go to look up an address in a particular domain such as ".com." The DNS translates Web site names, such as www.idg.com into a numerical IP (Internet Protocol) address, which is used by computers to find a Web site.
Transitioning to DNSSEC can be difficult and expensive, although open-source developers have created a toolkit, called OpenDNSSEC, to ease the transition. Nominet, which is using the software, helped develop it along with other entities such as NLnet Labs and SIDN, the ".nl" registry, McCalla said.
"We've had to invest quite a bit of time and effort in getting this right," McCalla said. "We've invested a lot in the OpenDNSSEC software."
Nominet will begin signing ".co.uk" - comprising more than 8 million websites - later this year, working with any entity that operates a nameserver, as their software will have to be upgraded for DNSSEC.
So far, other entities have been slow to upgrade to DNSSEC. McCalla said many appear to be waiting for the root zone to be signed. "I expect we will see a much greater awareness this year," he said.