DNS Security Extensions (DNSSEC) provides origin authentication and integrity protection for Domain Name System (DNS) data, as well as a means of public key distribution. These extensions do not provide confidentiality. DNSSEC is now an Internet standard, referenced in Internet Engineering Task Force (IETF) Requests for Comments (RFCs) 4033, 4034 and 4035. IETF is an international, voluntary body consisting of network designers, engineers, researchers and vendors who work together to address and resolve technical and operational problems on the Internet and develop Internet standards and protocols that become RFCs.

Domain names work because every Web site and other resource on the Internet has a unique numeric code (called an IP address) that allows computers to locate it. These numeric codes are tied to easy-to-use word-based identifiers, such as www.example.org. When a user types www.exmaple.org into a computer that is hooked up to the Internet, the local machine "looks up" the associated numeric (or IP) address, and the user goes directly to the correct site. (For more on the complicated lookups that occur behind the scenes, go to "How It Works: Untangling the Web.")

In today’s DNS system, however, the lookup of www.example.org can be spoofed, leading the user to a completely different domain, and the user cannot do anything about it. If, however, the domain is signed using DNSSEC, such spoofing would not be possible; the .ORG registry, the "www.example.org" site and the requesting user’s system would check the zone signature to ensure that it is indeed authentic.

Because access to each domain is always preceded by validation that the IP address mapping is accurate, the chances of spoofed Web pages and spoofed e-mails is significantly lowered.

Critics of DNSSEC assert that the new lookup sequences between servers and clients will drastically increase the total amount of traffic and overrun entire parts of the Internet. They also say that in developing nations, such increases in traffic are prohibitively expensive; in addition, with more lookups on slower connections, the chances of the lookup failing or timing out is higher, which would result in a poor end-user experience. Various testbed efforts are under way around the world to gather data that will more completely reveal the effects of deploying this technology. Methods to mitigate a number of these criticisms are under active discussion, and some already deployed.

In addition, the implementation challenges for DNSSEC are not trivial. Success depends on sufficient interest, capital outlay and the integration of DNSSEC support in DNS resolvers all over the world.

PIR is an active participant in efforts worldwide to understand the implementation challenges and is involved in various ongoing DNSSEC design and deployment initiatives, including ICANN forums and registrar and ISP outreach. As the registry that operates in the public's interest, PIR is involved in these initiatives because DNSSEC is currently the only known way to make absolutely certain that the Web site you navigate to is actually the real Web site or that the e-mail you are receiving is actually coming from the address it claims to come from. Appropriate deployment of DNSSEC may relieve the modern day menaces of phishing, Web site spoofing, and to some extent, even spam and online-identity theft.

PIR believes that protecting the integrity of DNS data and ensuring that the origin of DNS information is authentic are difficult but essential goals to the overall security and longevity of the Internet.

More technical information can be found at dnssec.net and at dnssec-deployment.org.