About Us

Afilias' specialized technology makes Internet addresses more accessible and useful through a wide range of applications, including Internet domain registry services, Managed DNS and award-winning mobile Web services.

Cyber security

Afilias to Provide 1-Click DNSSEC Service to Simplify DNS Security Rollout

New solution to speed adoption of DNSSEC and enhance Internet security

 DUBLIN, IRELAND - 2 March 2009 - Today Afilias announced the beta launch of 1-Click DNSSECTM , an enhancement to its Managed DNS Service, that allows organizations, corporations and government agencies to enable DNS Security Extensions (DNSSEC) on their domains, quickly and easily. Afilias is currently accepting 'proof of concept' testing customers and expects to officially rollout 1-Click DNSSECTM as a service available to all of the Afilias Managed DNS customers later this year.

DNSSEC resources

DNSSEC protects the DNS from cache poisoning exploits which can allow malicious entities to intercept an Internet user's request to access a website, and redirect or eavesdrop on the user without their knowledge, and with no ability to reassert control.

Media or Page: 

Strengthen Internet Security: Protect Your Customers with DNSSEC

You don’t want traffic to your site hijacked and rerouted, but can you guarantee that will never happen?

When your customers type in your website URL, their browser uses the Domain Name System (DNS) to retrieve the IP address (or the location) of your website. During the DNS communication process, a bad actor could intercept the query, manipulate your site’s DNS data, and redirect your customers to an identical website run by the hijacker. Once there your customers would most likely feel safe to enter their personal information where it could be stolen by the bad actor.

So, how can you ensure your customers are really reaching YOUR site?

DNSSEC is the Key to Domain Name Security

DNS Security Extensions (DNSSEC) provide DNS data authentication – an additional level of security - that’s used to create the DNS chain of trust:

  1. Your DNS hosting provider, together with the registry (e.g., Afilias) and the registrar (authoritative sources for your DNS data), digitally “signs” your DNS data.
  2. When your customers’ Internet Service Provider (ISP), browser, and other applications (e.g. Windows and MacOS) request your DNS data, they must first validate the information in the digital signature.
  3. No DNS information can be altered with DNSSEC in place. If manipulated data is detected, your customers will be taken to an error page – and never to a fake site.

As the security and stability of the Internet’s core infrastructure is becoming ever more critical, DNSSEC plays an important role in the Internet’s natural evolution. For example, to close the security gap seen among TLS/SSL certifications for e-commerce, DNSSEC enables usage of a new protocol: DNS-Based Authentication of Named Entities (DANE). More DNSSEC applications are expected; make sure you stay up-to-date with the latest developments.

Act Now!

As a domain name holder, you should take these steps to ensure you are benefitting from DNSSEC:

  1. Ensure your domain’s registry and registrar have deployed DNSSEC
  2. Ensure your DNS hosting provider supports DNSSEC (this may be your registrar unless you have made separate arrangements) and is able to sign (and re-sign) your DNS zone files
  3. Make this a technical AND marketing win for your organization: Promote to your customers that they can trust your website as it is protected by DNSSEC
  4. Go one step further: Educate your customers to use and to look for other sites using DNSSEC: ensure their Internet service provider offers a validating DNS resolver, seek and deploy DNSSEC extensions for their favorite applications (e.g., your browser).

Afilias Domains Are DNSSEC-Enabled

Afilias is committed to DNSSEC: we have been an active player since 2008. From the heritage TLDs .ORG and .INFO to .ORGANIC, .LGBT, .VOTE, and many other top-level domains (TLDs) that we operate or manage are DNSSEC-enabled . All of our registrars have the option to offer DNSSEC to their domain name holders, i.e., the registrar is able to accept “Delegation Signer (DS)” records and send them to us.

Jim Galvin Writing About DNSSEC On CircleID

We’ve been very pleased to see Dr. Jim Galvin of Afilias writing a series of articles about DNSSEC over on Circle ID.  Jim has been a long-time friend and supporter of the Deploy360 Programme and has spoken multiple times at our ION conferences. (For example, he spoke at our recent ION Belfast event.)  Jim was also involved with the recent sponsorship of our ION conferences by Afilias.

Anyway, over at CircleID Jim started a series of articles about different aspects of DNSSEC. His articles thus far include:

The three articles provide a good overview of the current state of DNSSEC.  His third article, in particular, dives into an issue that has not been widely discussed – the potential 5-day waiting period during the transfer or a domain between registrars.

Read More (InternetSociety.org)

DNSSEC Fact Sheet

“Looking for a quick way to explain DNSSEC to people?  Would you like a DNSSEC handout you could print out and distribute at an event?  Need something to send to your manager or a vendor about why it is so important to support DNSSEC?” – Internet Society

Check out Internet Society’s 2-page, easy-to-understand fact sheet on Domain Names System Security Extensions, or DNSSEC.

ION Toronto - Why Implement DNSSEC?

What is DNSSEC and why is it so important? Jim Galvin of Afilias discusses the business reasons for, and financial implications of, deploying DNSSEC: from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet.

DNSSEC overview

DNSSEC introduces digital signatures to the DNS infrastructure, allowing end users to more securely navigate the Internet. It can provide users with effective verification that their applications, such as Web or email, are using the correct addresses for servers they want to reach. This document provides a high level overview of what DNSSEC is and how it works.
File DNSSEC Overview
This document provides a short overview on what DNSSEC is and how it works.
03/02/09 11:06 am73.54 KB

Securing a domain: SSL vs. DNSSEC

Howard Eland Senior Director Of Content Propagation and Resolution at Afilias discusses the differences between SSL and DNSSEC.

File Securing a Domain SSL vs DNSSEC
Howard Eland Senior Director Of Content Propagation and Resolution at Afilias discusses the differences between SSL and DNSSEC.
03/02/09 10:01 am87.58 KB

WEBINAR: Lessons from the Trenches: Deploying DNSSEC

Thinking of deploying DNSSEC on your TLD? Find out what to expect from the experts! Click Here to view Afilias' on-demand webinar featuring a panel discussion on implementing DNSSEC.

Many ccTLD registries are contemplating deploying Domain Name Security Extensions (DNSSEC). This Webinar will review the "lessons learned" from major players in the DNS industry who have taken a leadership position in deploying DNSSEC among TLDs and the Root infrastructure. This Webinar will give you key questions to ask yourself when deciding upon DNSSEC deployment parameters and timeline. It will also give you a good understanding of the infrastructure changes required for your registry and DNS systems to support DNSSEC.

John Kane, VP Corporate Services - Afilias

Rickard Bellgrim - .SE registry
Lauren Price - .ORG, The Public Interest Registry
Steve Crocker – Shinkuro and ICANN SSAC
Ram Mohan, CTO - Afilias

DNSSEC RFC Standards

The attached document contains the RFC standards that specify the core functionality of DNSSEC.  The attached document contains the RFC standards that specify the core functionality of DNSSEC.

The RFC standards that specify the core functionality of DNSSEC.
03/02/09 10:09 am64.18 KB

CircleID: You Don't Need to Hack Twitter.com to Control All Its Traffic and Email

Ram Mohan discuses in a CircleID.com blog post how hackers can gain control of a Web site and the implications for DNSSEC.

You Don't Need to Hack Twitter.com to Control All Its Traffic and Email Dec 18, 2009 2:42 PM PST

A big security news event last night and today is that the Twitter.com Web site was hacked and content on the site replaced. TechCrunch reported it and it has been picked up globally.

But - was the Twitter.com website really hacked? We now know it was not so.

There are four ways that users typing in Twitter.com would have seen the Iranian Cyber Army page.

Hack The Web Site

First, the hackers could have compromised the machines that run the Twitter.com Web pages, and replaced that content with their own content. A few years ago, this was one of the most popular ways of hacking sites, but high traffic Web site owners these days deploy very good security measures and are quite careful about who gets access to their production servers, what software is run on them, and how quickly security holes are patched.

Frankly, there are easier ways to "hack" a Web site without actually touching the Web site itself just steal access to their e-mail accounts and get their password to their DNS administration account so you can redirect all traffic aimed at the Web site and have it go somewhere else. That is what seems to have happened , according to recent media reports.

Hack The Registrar Account

The Twitter.com domain is registered at Network Solutions, one of the oldest domain name registrars. Network Solutions hosts some of the world's top brands and has been in business since the start of the commercial domain name business. They have also been a frequent (and sometimes successful) target of hacking attempts (the most recent one I recall is the June 2009 compromise of 573,000 debit & credit cards).

If the bad guys did manage to hack into the registrar account for Twitter.com, then they would have been able to touch and control anything related to the domain name. This includes the ability to change the ownership of the domain name, technical instructions for where e-mail for Twitter.com is sent, and finally instructions for where users typing in Twitter.com should be redirected to.

This is serious stuff, of course. The ICANN Security & Stability Advisory Committee (SSAC) has been publishing advisories on this threat for years, most recently as SAC040 (available in 8 languages on the SSAC Web site), asking registrars and Web site owners to exercise care in their security practices.

Hack The Managed DNS Provider

If the registrar account was not compromised, then the hackers could have used their third and equally devastating line of attack overwhelm security on the DNS servers for Twitter.com and gain access to the Control Panel at the DNS provider.

DNS servers are a kind of automated Internet directory service which instructs your web browser or your Tweetdeck (or other API) software where to find the site twitter.com. Web sites with a lot of traffic such as Twitter often contract with specialized companies who build large scale infrastructure to ensure that users looking for the website can get the Internet directory assistance quickly and reliably using a service called Managed DNS.

A few companies (including Afilias, my employer) provide Managed DNS service. Managed DNS is an increasingly important tool that companies deploy to ensure that their web site is always accessible and highly available online. (In Twitter's case, this is provided by DynDNS).

If access to the DynDNS Control Panel did get hacked (and recent reports indicate that this might be the root cause), then it would be equally easy to redirect all traffic, with potentially little notice to Twitter. This is why I like features like user group permissions, IP address restrictions and the automatic security alert SMS feature in the Afilias Managed DNS product you need a rapid alert mechanism if your site's traffic is being hijacked.

Hack The DNS Resolver

Of course, even if the Web site was locked down tight, the registrar had world class security and the Managed DNS provider was near impregnable, it is possible to just insert spurious directory (DNS) information so that Web browsers will always be given the wrong address of the Web site.

This may sound far-fetched, but it is actually really easy to do. The core infrastructure of the Internet was built in the days when security was an afterthought, and hackers can exploit that vulnerability easily. Called a "man-in-the-middle" attack, it is most devastating when insecure wireless (WiFi) networks are taken over (imagine the free Internet at Starbucks being taken over by a rogue machine, which then controls all access to any Web site you want to go to).

In the case of twitter.com, it is unlikely that this happened the hacker would have to insert the spurious directory (DNS) information into resolvers all over the world. But such an attack is very effective within an ISP or a company that runs its own resolvers which get compromised.

Could DNSSEC Have Helped?

Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked.

In this case, the answer is, "No". DNSSEC protects you when the correct information is in the DNS and your browser (or local resolver) validates the signed information.

But if the DNS Resolver had been hacked, only DNSSEC would have helped no other solution is 100% effective, and your browser would never go to the wrong site.

Ending Thoughts

You need to practice good security. This is sometimes more an art than a science.

  • Read the SSAC SAC040 report - there are some immediately implementable ideas there.
  • Use a reliable Managed DNS service provider
  • Pick a domain name registrar who practices good security
  • Ask for instant security alerts, such as with SMS updates
  • Dr. Jim Galvin's presentation from GCSC's DNS Security and DNSSEC event: Deploying DNSSEC: Lessons Learned

    Below are some photos of the Global Cyber Security Center's DNS Security Eventof which Afilias' Jim Galvin was a panelist discussing DNSSEC.

    GCSC Cyber Security EventDr. James Galvin

    DNSSEC PanelDr. James Galvin

    File Presentation-Dr Galvin GCSC
    07/06/10 10:56 am240.9 KB

    DNSSEC presentation ICANN Mexico City

    Ram Mohan, Executive Vice President and Chief Technology Officer presented "Securing your DNS infrastructure using DNSSEC" at the AtLarge Summit during the ICANN Mexico City Meeting.

    File Ram Mohan presentation on DNSSEC - ICANN Mexico City
    February 28 2009 - At-Large Summit ICANN Mexico City
    03/02/09 7:46 am557.09 KB

    .ASIA DNSSEC Signing Event November 2010

    On November 11, 2010 Afilias secured the .ASIA TLD with DNSSEC. You can find media, presentations, and comments from the event here.


    File Overview and History of DNSSEC - IETF Beijing/ .ASIA DNSSEC signing
    Afilias' Dr. James Galvin provides an overview and history of DNSSEC at the .ASIA DNSSEC press event in Beijing China Nov 11, 2010.
    11/11/10 2:03 pm30.87 KB
    File History and Value of DNSSEC presentation
    Afilias' Dr. James Galvin provides a history and overview of DNSSEC at the .ASIA DNSSEC signing press conference at the IETF meeting in Beijing China Nov 11, 2010. (See separate document for verbal remarks)
    11/11/10 1:41 pm702.3 KB

    Afilias' Ram Mohan's presentation to SSAC on DNSSEC deployment and working with IANA

    File Afilias' Ram Mohan's presentation to SSAC on DNSSEC deployment and working with IANA
    Afilias' Ram Mohan's presentation to SSAC on DNSSEC deployment and working with IANA
    12/09/10 11:22 am321.2 KB

    One Click DNSSEC

    DNSSEC is the best approach to secure your DNS infrastructure and protect visitors to your Web site from unknowingly being victimized by bad actors. Current efforts to deploy DNSSEC globally have been slowed by the complexity of implementation.

    Afilias solves this problem with its new One Click DNSSECTM service, which allows you to secure your zone with just one click.

    Afilias collaborates with Microsoft and industry leaders to stop Conficker worm

    Afilias is participating in a partnership with Microsoft, ICANN, technology industry leaders, and academia to implement a coordinated, global response designed to disable domain names targeted by the Conficker worm.

    Cyber Security in India

    Media or Page: 

    Afilias and CERT-In Sign MoU to Improve Internet Security in India

    File Afilias and CERT-IN Sign MoU
    In February 2008, Afilias signed an MOU with CERT-IN to improve Internet security.
    11/08/08 7:23 pm899.59 KB

    Afilias and CERT-In MoU Signing Ceremony

    File Afilias and CERT-IN MOU signing ceremony
    Dr. Gulshan Rai, Director of CERT-In, Mr. Madhavan Nambiar, Principal Secretary, and Mr. Ram Mohan, CTO and VP, Business Operations, Afilias signing MoU for Internet security today at New Delhi.
    11/08/08 8:12 pm138.89 KB

    Domain Security - Anti-Abuse, Spam and Phishing

    Media or Page: 

    Global Phishing Survey: Domain Name Use and Trends in 1H2008

    File 1H2008 APWG Study
    Global Phishing Survey released by the Anti-Phishing Work Group (APWG) in 2008 that studied the relationships between phishing attacks and top-level domains.
    11/08/08 1:38 pm575.48 KB

    The Relationship of Phishing and Domain Tasting - 2006 study

    File 2006 APWG Study
    This is a report issued in September 2006 and authored by the APWG DNS Policy Working Group%2C with contributions from Afilias.
    11/08/08 1:13 pm98.12 KB

    .INFO Domain Safer From Phishing Attacks

    Global Phishing Survey results highlight .INFO anti-abuse success

    Ram Mohan to Join ICANN Board of Directors

    Internet domain name industry veteran and security expert to join ICANN Board as Security and Stability Advisory Committee liaisonRam Mohan

    DUBLIN, IRELAND - 3 November 2008 - Afilias, a global provider of Internet infrastructure services, today announced that Ram Mohan, Executive Vice President and Chief Technology Officer, has been selected by the ICANN Security and Stability Advisory Committee (SSAC) to serve as its non-voting liaison on the ICANN Board of Directors. Mr. Mohan will be seated at the conclusion of the ICANN 33rd International Public Meeting in Cairo, Egypt.