Steve Crocker, who is heading up the DNSSec Deployment Initiative with funding from the DHS, told ComputerWire yesterday he expects DNSSec support will be added to the internet’s DNS root server system towards the end of this year.

Fresh from an apparently successful meeting with ICANN staff and root server operators, Crocker said some agreement had been reached. He said: We’re not going to do it piecemeal, we’ve got to do it all together or not at all.

DNSSec is a set of extensions to the age-old DNS standards that is designed to prevent domain names being hijacked by malicious hackers, by adding a cryptographic signature check requirement to each DNS lookup

Lack of DNS authentication could lead to attacks such as corporate espionage, and may not be a theoretical problem, Crocker said. You never know how big a threat it is, he said. I think it’s doable, but we have no information on whether it’s being done.

The DNS is hierarchical. When a browser looks up a web page, www.computerwire.com for example, it needs the IP address associated with the URL. If it cannot find it at the local DNS server, that server asks the root for a pointer.

The root points to a name server at VeriSign, which the root knows runs .com. VeriSign’s server passes it on to ComputerWire, which it knows runs computerwire.com, and ComputerWire passes the request on to its web server, www.computerwire.com.

Anywhere along that path, you could be given misinformation by a badly configured system, or an intruder, that causes your traffic to be directed to a different site, Crocker said.

This so-called man in the middle attack could mean a hacker could intercept and read your email, web browser requests, or any other internet traffic that uses domain names to locate servers. The victim would usually be none-the-wiser.

DNSSec is designed to solve this problem by requiring each stage of the DNS lookup to be authenticated using a cryptographic key. A company with a .com address would be authenticated by the .com servers, and the .com servers would be authenticated by the root. The root would be authenticated using a public key.

It’s the decision to publish those public keys and support DNSSec at the root, that appears to have been reached this week at the ICANN meeting, where all the big players from the DNS space are gathered for a five-day tetes-a-tetes.

But that’s not even half the challenge. Crocker said that the top-level domain operators, such as VeriSign, also need to start supporting DNSSec, as do makers of applications such as browsers, operating systems and email software.

The operators of the Swedish and Dutch TLD registries, .se and .nl, will almost certainly be the first to support the protocols, Crocker said. These are relatively small domains, where the cost and complexity of rolling out DNSSec will be relatively modest.

VeriSign, on the other hand, is said to manage over 80% of the world’s domains, and would have a lot more work. Pat Kane, head of .com/.net data at VeriSign, said that adding DNSSec support would triple the size of its registry zone files.

Kane said that he expects the cost to the VeriSign registry of rolling out DNSSec across the whole of the .com and .net domains would be $5m in the first year. At the same time, there’s no real business model associated with the technology, yet.

Registries and registrars have to balance market demand with technical needs. There’s no proof today there’s a market demand for DNSSec, he said during a public meeting on the subject here in Argentina. Where is the revenue?

VeriSign does appear to be committed to DNSSec, however. The specs have been under development with VeriSign’s assistance, for 12 years, and VeriSign has been running pilot and test-bed projects for over four years.

There may be a market for DNSSec as a value-added service. Many companies could be happy to pay an extra fee each year for a domain to protect their sites against man-in-the-middle attacks. But the threat is little known.

We don’t have a reference event, said VeriSign’s Kane, alluding to the 1989 Exxon Valdez disaster, and how it reformed the way oil spills were treated. Without a CNN headline talking about DNS insecurity, there’s no demand yet.

That’s a good thing and a bad thing, he said. It’s good because we don’t have that event, it’s bad because we don’t have the motivation across the entire community.

The DNSSec Deployment Initiative is being managed by Crocker’s company, Shinkuro Inc, with funding from the DHS. DNSSec deployment is one of the few hard technical goals outlined in the US government’s National Strategy to Secure Cyberspace.

Crocker is also head of ICANN’s Security and Stability Advisory Committee. ICANN is tasked with ensuring the stability of the DNS. Crocker said: This is bigger than ICANN, but ICANN has a strong, vital, pivotal role.