Satisfied faces among the participants and at DENIC, the organizer of the event: With more than 70 attendants from the industry and organizations from the IT world, the second DNSSEC testbed meeting held on 26 January 2010 at the premises of the Cooperative met with overwhelming interest. Not only users but also providers of DNSSEC services and tools had come to keep up with the latest developments to fight DNS spoofing and cache poisoning and to use the opportunity for networking.

First Experiences with the Signed .de Zone

The event was held because the "DNSSEC testbed for Germany" initiated by DENIC in cooperation with the Association of the German Internet Economy eco e.V. and the Federal Agency for Security in Information Technology (BSI) had reached another milestone of its road map: Since 5 January 2010, the signed version of the .de zone is available in the DNSSEC testbed environment. Thus, the name service infrastructure previously established at two locations in production quality can now also be used for productive DNSSEC traffic without any impact on normal productive operation. One of the locations is accessible via IPv6 since the end of January.

The event covered a wide range of topics, presented by experts with long years of experience from the most different sections of the DNSSEC community.

Brief Introduction to DNSSEC at the Opening

The meeting was started with a brief introduction to the technical basics and the motivation for the protocol extension DNSSEC. It served as a sort of warming-up before the project head, Peter Koch, summed up the previous experience with the testbed under the motto "21 days later and a bit wiser" and gave an outlook to the next project stages and targets. At present, DENIC signs the respective current .de zone version once a day and makes it available in the DNSSEC testbed environment. By signing the .de zone with NSEC3 records as defined in RFC5155, using the “Opt Out“ feature, zone walking is prevented and thus maximum protection of the data is achieved. Due to a particularity of the .de-Zone, the testbed already contains about 200,000 domains signed by DNSSEC. The reason for this is that in the .de zone, resource records in form of NSentries may be provided directly in DENIC name servers instead of making them available in own name servers. By 2 March 2010, DENIC will have established interfaces for registering and administering DNSKEY records for delegated .de domains. As of that date, the public-whois will also support queries for DNSSEC-specific attributes in domain objects. Once that is done, the current daily updating intervals (signing) will be gradually decreased until continuous updating will be achieved by the end of the 3rd quarter of 2010.

Current Status of DNSSEC Around the World

The second half of the morning was devoted to the project's state of progress as regards the introduction of DNSSEC in other countries than Germany: The deployment status throughout the world varies considerably, among generic (gTLDs) as well as among country code (ccTLDs) domains. At present, one finds the most different implementation scenarios: (a) closed tests with a limited number of participants, (b) public tests with a potentially unlimited number of participants (testbeds), and (c) public operation of three variants, "only signed zone", "open for registrations with key material" or "fully operational with registrars and clients". With its testbed open to the general public and working at an operational level already now, DENIC holds a good position. In view of the fact that the Cooperative will enable clients to record key material automatically as from March 2010, it has the potential to quickly advance to the top group in this segment of the international market. This is the opinion with which Hans Peter Dittler, managing director of BRAINTEC Netzwerk-Consulting GmbH, concluded his considerations of the global market.

Samuel Benz from the Swiss domain registry SWITCH brought the participants back from the international to the regional stage. SWITCH is about to complete pioneer operation with DNSSEC. He described the various phases of the project and the respective challenges and problems the participants were confronted with. Initial difficulties with zone sizes and RAM memories during zone transfer no longer occurred after the systems had been upgraded and switched to incremental zone transfer. Repeated failures were experienced, however, when the ADSL routers, which had been checked on DNSSEC compatibility, tried to validate signatures on the client. But all in all it had not been the technical challenge of the launch that SWITCH had underestimated. What they had not expected was that the test participants in Switzerland, which ran a closed test, would be much more inclined to change validations than to sign delegated zones. A fact that suggests that people dreaded the outlay required for the implementation of new processes, which would go along with the signing. As from February 2010 SWITCH will allow automatic recording of key material.

Study about DNSSEC Capability of Routers

In the second part of the Meeting, Thorsten Dietrich, Head of Internet Security at the Federal Agency for Security in Information Technology (BSI), presented the results of a recently completed study of the BSI, which investigated the DNSSEC-capability and other security aspects (such as open resolvers, port randomizing, IPv6 support, WLAN security) of home routers generally available on the market. At the start of the test, the objects to be tested comprised about 90% of the devices available in Germany. The test scenarios were chosen according to user relevance (downwards compatibility, DNSSEC support and direct DNS queries via the applications). Initially, a mere 40% of the tested devices satisfied the criterion of DNSSEC compatibility ex works. After reconfiguration of the devices, avoiding the in-built DNS proxy, this figure surged to 100%. Since the producers who had placed the devices at disposal were granted absolute anonymity, BSI could, however, not publish any producer-related results. But of course they gave feedback to the producers. It remains to be seen if they will develop and upgrade the devices accordingly.

DNSSEC for the Root Zone

Next came Wolfgang Nagele, who represented the Regional Internet Registry RIPE NCC, who is responsible for allocating IP address space in Europe. With K-Root, RIPE NCCE operates one of 13 root name server clouds scattered throughout the world. Wolfgang Nagele explained the current plans for implementing DNSSEC for the root zone of the hierarchic Domain Name System. The roll-out of DNSSEC in the root zone will be carried out in several phases and be completed by the end of June 2010. This enables clients still facing problems with the DNS protocol limits or with packet fragmentation to initially switch to other root name servers and to use the time until all root name servers will support DNSSEC for upgrades. The first one to take action was ICANN with the L-Root server on 27 January, K-Root will follow on 24 March. Validation of the root zone will not be possible before 1 July, when signing of the entire root zone will finally be completed. Validation is effected by means of so-called Trust Anchors, copies of the public section of the Key Signing Keys, which will be communicated to resolvers as “trusted keys”.

Efficient DNSSEC Key Management

The focal topic of the final lecture was an open source tool for efficient management of DNSSEC keys, which was explained in detail by its developer, Holger Zuleger (HZNET). This so-called ZKT-software is based on the DNSSEC commands of the widely used DNS implementation BIND. Designed for small- to medium-size providers, the tool not only offers a resource-saving option to start DNSSEC but also considerably facilitates the process chains of automatic zone administration with DNSSEC.

Live Presentation of a Validator

Not only theory but also practical applications were adequately addressed at the event: In live presentations during the breaks, the cryptography expert Lutz Donnerhacke demonstrated, for example, how a validator verifies signed DNS responses in real operation.

3rd DNSSEC Testbed Meeting on 16 June 2010

On 16 June 2010, the third DNSSEC testbed meeting will take place to report about the progress achieved and the experiences made with the .de zone by then. DENIC’S CEO, Sabine Dolderer, emphasized that DENIC would be happy to welcome a large number of new interested parties at the provided testbed, in order to have as broad as possible a basis for the final assessment of the testbed under cost-benefit aspects. By integrating the testbed in the production environment DENIC deliberately created conditions that make it easy to decide in favour of active participation.

You will find the presentations and profiles of the speakers of the event on the DNSSEC webpages for download.