News | 08.01.2010

DENIC Goes Ahead in the Signed DNSSEC Zone

The DNSSEC testbed for Germany has met another milestone of its roadmap: Exactly as planned, DENIC made available the signed version of the .de zone in the DNSSEC test environment on 5 January 2010. What does this mean precisely?

1. DENIC will sign the respective current .de zone version of the production environment once a day and make it available in the DNSSEC test environment for DNS queries.

2. The two name server clusters in Frankfurt (81.91.161.228) and in Amsterdam (87.233.175.25) will answer DNS queries including DNSSEC data as authoritative and non-recursive name servers.

3. You will find instructions how to redirect queries for the .de domains for diverse resolvers in separate configuration examples.

4. As regards validating resolvers, the set-up now allows that the Trust Anchor is configured for the .de testbed. The Trust Anchor is a copy of the public section of the Key Signing Key that is communicated to the resolver as the Trusted Key. This Trust Anchor or Secure Entry Point is published on an https-secured webpage.

de.             86400   IN      DNSKEY  257 3 8 (
AwEAAZ1FqQED8QBrk3Jk4q96lggh4uiwlbdbZ0posfIgcaJJqfTNBfEhn6PEPqqRP
73libD55vujfYzKMN0fVd34wrdOpSTpMbw+oqQpJyecfGVYH1fnqws23n5QE03/
7SN98O8Cm+HBpB66JurTHWD3f4es8IUoumb/SXY44qb+oqWfmM3wS8aQVA5
d2gHpKrRIPlDHA/MB3FHGL64VpfV8KJ76kp1RBthR7Y0qalTskOouVeCOEa7gUiIl
jt1kTf64HFGsRi11klpCHBjtTiTg7MFN25nASuhbyTmWlRxPyg79BK7EDQ+tAe09N
YkS1P7tOe8ola9IpQHTWO6ttTmSnyE= )

This  Key Signing Key will remain valid until revoked. Any scheduled key changes will be announced with due notice.

5. In addition to the 2048bit Key Signing Key, a 1024bit Zone Signing Key will be used, which will be changed every five weeks. Both keys generate signatures in accordance with the standardized RSA/SHA256 procedure as specified in RFC5702.

6. The .de zone is signed with opt-out, using NSEC3 records according to RFC5155.

Further details about the technology and the signing procedure will be explained in the second DNSSEC Testbed Meeting. It will take place on 26 January 2010 at the DENIC head office in Frankfurt. Places are still available.

 

On 2 March 2010, the DNSSEC testbed will enter the next phase. From then on, it will be possible to record key material in form of DNSKEY with delegated .de domains in the registration database. Delegated second level domains may also participate in the testbed.