ICANN has unanimously approved a request by the Public Interest Registry (which handles .org domains) to become the first generic Top Level Domain (gTLD) to switch to the DNS security protocol DNSSEC. As part of the agreement, PIR will trailblaze DNSSEC, while simultaneously developing an education and adoption plan that can later be disseminated across the Internet's infrastructure, PIR's use of DNSSEC is a significant step forward, but a mixture of contentious political and technological issues have slowed the worldwide development and deployment process.

DNSSEC is intended to fix fundamental flaws in the original DNS protocol that leave it vulnerable to several different attack vectors, including cache poisoning. This is accomplished in part through the use of digital signatures. By using such signatures, the DNS resolver can check to see if information it is receiving is actually from the appropriate address; the digital signatures effectively act as a password (the analogy is not exact).

The DNS flaws themselves aren't anything new—they were discovered back in 1990—but the solution to the problem has been no less than eleven years in the making, putting the length of its development cycle almost on par with Duke Nukem Forever. DNSSEC development lasted from January 1997 to the present day, or roughly 11 years and six months. DNF was announced in April of 1997, and, assuming 3DRealms makes good on its 2008 projection, must ship no later than December 2008, for a total development time of 11 years, eight months. Hail to the king, indeed.

Spurious references to Duke aside, DNSSEC has had a difficult road to deployment. Early versions of the protocol proved incapable of scaling upwards to the degree that would be necessary to cover the entire Internet. Later, privacy and legal concerns arose around the way DNSSEC handled zone enumeration. These issues were eventually dealt with as well, but critical parts of the protocol weren't formally published until March of this year.

.org isn't the first high-level domain to implement DNSSEC, as several nations have already adopted it for their country-level domains. The issue of whether or not ICANN should sign the root has been batted about but is still something of a political mess. Doing so could speed and simplify the DNS to DNSSEC transition, but if ICANN signs the root, ICANN (and ICANN alone) has full access to the public root encryption keys. This, in turn, revives the question as to whether or not ICANN/the US government can be trusted, etc, etc, ad nauseum.

PIR's announcement indicates that we should expect to see other gTLD's eventually jump from DNS to DNSSEC, but given the slow pace of adoption thus far, it's anyone's guess as to when that will happen.