The .ORG top level domain (TLD) recently received its DNSSEC signature, and now has the ability to provide integrity information about its underlying domains. This is important because it’s the first TLD to get signed. This also means it might be somewhat of a guinea pig, as any uncaught issues or bugs will probably show up when people invariably start trying to break the system.

We covered DNSSEC a bit in a previous post, and it is interesting to see how much progress has been made since then. DNSSEC isn’t new. In fact, it’s been around for a quite some time in one unfinished form or another. It wasn’t until the Kaminsky DNS cache issue a few years ago that we saw a sudden surge in DNSSEC development and deployment.

But if history is any indication, the transition might not be smooth. Each registrar under a TLD has to support DNSSEC individually. This would create new costs and overhead (especially for small registrars), in addition to exacerbating the issue of fragmentation. And although a spotty DNSSEC is better than none at all, it really needs to be ubiquitous to maximize its usefulness.

Good luck, DNSSEC. You’ll need it.