Search DNSSEC Blog


Friday, February 26, 2010

UK Registry to Implement DNSSEC

Nominet, the U.K.'s domain name registry, will begin implementing a security protocol on Monday designed to protect the DNS (Domain Name System).

The system, called DNS Security Extensions (DNSSEC), uses public key cryptography to digitally "sign" the DNS records for Web sites. It is designed to stop attacks such as cache poisoning, where a DNS server is hacked, making it possible for a user to type in the correct Web site name but be directed to a fake Web site.

Nominet will begin signing the ".uk" top-level domain beginning Monday, a process which will conclude a week later, said Simon McCalla, director of IT at the registry.

Interestingly, there are just a little over a dozen Web sites that use ".uk" since a decision was made more than a decade ago to close off registrations, he said. Much more common are second-level domains, such as "" and "," among others.

However, signing the ".uk" zone is crucial to building the so-called "chains of trust" required for full DNSSEC implementation, McCalla said. Cryptographic keys used to sign Web sites in different zones are validated by other zones.

That signing culminates at the "root zone," or the 13 authoritative nameservers located around the world that contain the master list of where computers can go to look up an address in a particular domain such as ".com." The DNS translates Web site names, such as into a numerical IP (Internet Protocol) address, which is used by computers to find a Web site.

Nominet will begin signing "" -- comprising more than 8 million Web sites -- later this year, working with any entity that operates a nameserver, as their software will have to be upgraded for DNSSEC.

So far, other entities have been slow to upgrade. McCalla said many appear to be waiting for the root zone to be signed. "I expect we will see a much greater awareness this year," he said.

Source: Retrieved on February 26th from

Tuesday, February 16, 2010

Debian to start deploying DNSSEC

The Debian system administrators (DSA) have announced that they will soon be deploying DNSSEC for selected Debian zones. "The plan is to introduce DNSSEC in several steps so that we can react to issues that arise without breaking everything at once. [...] We will start with serving signed and zones. Assuming nobody complains loudly enough the various reverse zones and finally the zone will follow. Once all our zones are signed we will publish our trust anchors in ISC's DLV Registry, again in stages. [...] The various child zones that are handled differently from our normal DNS infrastructure (, alioth, bugs, ftp, packages, security, volatile, www) will follow at a later date." (Thanks again to Paul Wise.)


Tuesday, February 9, 2010

OpenDNSSEC Available To Download Today

"The OpenDNSSEC project group today announces the availability of its open source software that will make it easier for Internet service providers, web hosting companies and name service operators to enhance Internet security. OpenDNSSEC is available to download at:

Developed by industry leaders including .SE (The Internet Infrastructure Foundation), NLNetLabs, Nominet, Kirei, SURFnet, SIDN and John Dickinson, OpenDNSSEC will seamlessly integrate domain name security extensions (DNSSEC) into already existing IT systems without the need for organisations to change their infrastructure.

How does it work?

DNSSEC secures the information used to translate domain names (such as to computer addresses by adding to it a cryptographic signature created by a securely held key. When the information is retrieved as a result of a DNS query, the signature is also returned.

The computer making the query checks the information received against the signature. As it is impossible to create the correct signature without the secure key, a match implies that the information is authentic – it was retrieved from the correct place and was not modified in transit.

OpenDNSSEC is software that simplifies the process of creating and managing the DNSSEC signatures. Available under the BSD licence, it can be downloaded and installed on existing systems, and quickly set up to provide a secure DNS service.

Lesley Cowley, CEO at Nominet comments: "OpenDNSSEC ensures that the domain name system is not tampered with, and that Internet users are directed to a preferred web site without intervention. This piece of software provides an extra layer of security to the DNS. The collaboration in evidence, shows that the Internet community is committed to forging a safer, more trusted Internet for all."

For further information about how OpenDNSSEC works or to download the beta, please visit"

Source: Retrieved on February 9, 2010 from

Wednesday, February 3, 2010

Swiss Among World Leaders in Enabling DNSSEC

SWITCH, the registry for .CH and .LI domain names, enabled DNSSEC on day two of the annual Domain Pulse conference in Luzern yesterday. SWITCH became the third ccTLD registry to enable DNSSEC giving registrants of .CH domain names added security following .SE (Sweden) and .CZ (Czech Republic).

The added security for internet users allows for a more secure internet, especially important for banks and other financial services providers, for example.

At the Domain Pulse conference, Urs Eppenberger of SWITCH and Marc Furrer of the Swiss Federal Communications Commission (ComCom) enabled DNSSEC.

Furrer said he was very pleased with the efforts of SWITCH to be playing a leading role in the implementation of more secure internet communications and commerce.

"I am particularly proud of the fact that Switzerland is one of the first countries in Europe to introduce DNSSEC. This now guarantees security in the internet" said a delighted Marc Furrer, President of ComCom, in a statement.

Meanwhile DENIC is on schedule to prepare a test bed for registrars and this phase will run until 2011, said Sabine Dolderer, the company's CEO.

However will not be introducing DNSSEC in 2010, said Richard Wein, CEO of Wein believes there is not yet the demand or the market for it in Austria (.AT) at the moment, but like DENIC, will be watching developments closely in the .CH ccTLD closely. will be preparing for DNSSEC internally to have it ready for deployment when there is a demand. is also preparing an innovative business model to allow internet companies from registries, and in particular those planning to apply for new generic Top Level Domains (gTLDs), registrars, banks and others demanding a high level of security, to use their infrastructure. It is planned to have this finalised in the summer of 2010.

Among other presentations included Steve Gobin from ICANN who spoke of the new Registrar Accreditation Agreement while Simon Kopp of Kantonspolizei Luzern spoke about Fit4Chat website, an initiative of the Luzern canton's police department to help parents and children deal with unwanted contact from strangers, and in particular older adults, online.

There was also a presentation on internationalised domain names (IDNs) from Leonid Todorov from the Coordination Centre for TLD RU who explained the difficulties for Russian users in having to use only Latin characters for domain names. With a very small number of English speakers, especially in the more remote regions, and no adequate Latin/Cyrllic script translation, particularly relating to international trademarks, the introduction of IDNs will be of huge benefit to internet users in the country.

The 2011 Domain Pulse conference will be held in Vienna, Austria, from 17 to 18 February which will more or less coincide with the predicted one millionth .AT domain registration milestone.

Videos and slides of all presentations, mostly in German, are available on the Domain Pulse website at Domain Pulse conference website although without simultaneous translations as occurred during the meeting.

Source: David Goldstein,, Swiss Among World Leaders in Enabling DNSSEC, Retrived on February 3, 2010 from

Monday, February 1, 2010

Google and Neustar propose security fix for DNS geolocation technology

Google and DNS provider Neustar have jointly proposed an extension to the DNS protocol that would fix many of its security problems.

Google and Neustar, which posted the proposal on an IETF mailing list last week, would like to see the protocol extended to include significant significant IP address information about the computer making a DNS request. The extension to DNS would enable nameservers to understand roughly where a query was coming from, which would reduce the risk of attacks such as DNS poisoning, in which a nameserver can be convinced by a rogue computer that an illegitimate internet destination is the right one.

"It specifies an EDNSo option that carries IP address information (by default, only the first 24 bits to preserve privacy) of the user that triggered a DNS resolution," said the posting, made by executives from Google and Neustar. "This should allow authoritative name servers that keep geo-targeted responses to be more accurate, even in cases where the resolver and its users are close to each other."

The posting accompanied a 20-page document detailing the extension, which allows an authoritative name server to issue responses based upon the client's network address, rather than the network address of a recursive name server.

Google has been increasingly active in the battle to make the domain name service more secure. Ever since a fundamental flaw was discovered by researcher Dan Kaminskiy in 2008, the security of the service, which results URLs to IP addresses on the internet, has been in question.

Early last month, it was revealed that 80% of US federal agencies had failed to implement DNSSEC, a set of security extensions to DNS that use public-key encryption to help make the service more secure. The government had imposed a deadline of Dec. 31, 2009 for the upgrades.

Source: Google and Neustar propose security fix for DNS geolocation technology, Retrieved on February 2, 2010 from