Hands-on DNSSEC:<br>DENIC Invites To 2nd DNSSEC Testbed Meeting
Also in Germany, security technologies on the Internet are becoming more and more topical due to an increasing number of occurrences of data misuse in the recent past. One potential source of attack is the data path between DNS servers and resolvers. This is the result of attacks such as cache poisoning, DNS redirection and DNS spoofing. DENIC, the central registry for domains under the Top Level Domain .de, helps to provide better protection against this hazard by a testbed, which has now entered its next phase. The testbed is used for verifying if and to which extent the protocol extension DNSSEC (Domain Name Server Security Extensions) guarantees a reliable and secure transfer.
The 2nd testbed meeting, which is going to take place in the offices of DENIC in Frankfurt am Main on 26 January 2010, will mirror the current status of the testbed environment. The event provides an opportunity for experts and interested users to be informed live and on-site about the latest developments around DNSSEC and the related source authenticity and data integrity of the Domain Name System in Germany and internationally. After a facultative introductory lecture about the basics and the importance of the DNSSEC security protocol, lecturers from Germany and other countries will present a variety of specialist papers. They will cover all aspects from first experiences with the signed .de zone, which has been active in the test environment since 5 January 2010, the status of productive operation in other TLDs up to the introduction of tools relevant to DNSSEC. Live presentations will give additional insight into the use of DNSSEC in the practice and provide a platform for an exchange of ideas with experts. The event is designed for a broad audience including both providers and users of the German Internet. A live streaming will enable interested parties who are not able to attend personally to follow the meeting.
In the meantime, the DNSSEC testbed for Germany has met another milestone of its roadmap: Exactly as planned, DENIC made available the signed version of the .de zone in the DNSSEC test environment on 5 January 2010. Two name server clusters in Frankfurt and Amsterdam, which were set up in advance as productive units, now answer DNS queries as authoritative and non-recursing name servers. Thus, the separate name service infrastructure for .de domains, which has been available since December 2009 for the exclusive purpose of testing if parallel operation in the productive and the test environment is feasible, can now also be used for productive DNSSEC traffic.
Once a day, DENIC signs the respective current .de zone version of the production environment and makes it available in the DNSSEC test environment for DNS queries. Participating Internet service providers and other enterprises with own resolving name servers now also have access to the signed .de zone, provided they make some specific configuration changes to their name servers. Moreover, the advanced version of the test set-up meanwhile allows to configure the Trust Anchor in a validating resolver. The Trust Anchor is a copy of the public section of the Key Signing Key that is communicated to the resolver as the Trusted Key. This Trust Anchor or Secure Entry Point, which is published on an https-secured webpage, will remain valid until revoked. In addition to the 2048bit Key Signing Key, a 1024bit Zone Signing Key will be used, which will be rolled over at pre-defined time intervals. Both keys generate signatures in accordance with the standardized RSA/SHA256 procedure and as specified in RFC5702. The .de zone is signed with opt-out, using NSEC3 records according to RFC5155. This helps to avoid zone walking and to achieve best possible data protection.
Until 2 March 2010, DENIC will establish interfaces for registering and administering key data in form of DNSKEY records for delegated .de domains. From then on, also delegated second level domains can participate in the testbed. The DNS traffic and utilization of the testbed is continuously recorded and analyzed by DENIC. The results are published at regular intervals.
Background Information
About DENIC
As the central registry, DENIC administers the now more than 13 million domains under the Top Level Domain .de and thus provides a crucial resource for users of the Internet. It sees its role as that of a competent, impartial provider of services for all domain holders and Internet users. With 121 employees, DENIC creates the foundation through its work for German Internet pages and e-mail addresses to be accessible throughout the world. The about 270 members of the Cooperative are IT or telecommunications businesses based in Germany and elsewhere. Working in cooperation with them and other partners, DENIC is committed to guarantee the secure operation of the Internet and its further worldwide development as a not-for-profit organization.
It operates the automatic electronic registration system for its members, runs the domain database for the Top Level Domain .de and the German ENUM domain (.9.4.e164.arpa), manages the name server services for the .de zone at currently 15 locations distributed throughout the world, and renders a considerable contribution to the further organizational and technical development of the Internet in cooperation with international bodies (e.g. ICANN, CENTR, IETF).
DNSSEC
DNSSEC is a protocol extension adding data origin authentication and data integrity to the Domain Name System (DNS). Public key technology helps to ensure that the reply from the DNS corresponds precisely to the information stored in the system by the responsible zone administrator. To secure the path between DNS servers and DNSSEC-capable clients, the servers and resolvers located in between are included in the safety chain together with their caches. Cryptographic signatures make it possible to verify if the data arriving at the resolver are complete and have not been modified.By authenticating the entire DNS traffic, the procedure makes unnoticed manipulation of data by third parties during data transport impossible and protects against potential DNS-based security risks such as cache poisoning, DNS redirection and spoofing. However, domain hijacking, phishing or manipulations during domain registration cannot be avoided by DNSSEC.
The DNSSEC Testbed for Germany
The DNSSEC testbed for Germany was launched in July 2009 as a concerted action of DENIC, the Association of the German Internet Economy eco e.V. and the Federal Agency for Security in Information Technology (BSI).
The testbed provides for the possibility of testing in a common cooperative environment all the scenarios that will be of importance in future operation. These include supporting DNSSEC for .de domains, publication of the trust anchors within the framework of the chain of trust, the necessary processes of domain registration and DNSSEC-specific supplements for processes such as provider change and name server updates, and also the utilization of DNSSEC-secured information through the end customer via their Internet access.
In the test environment provided by DENIC, the participants will collect and analyze operative and technical experiences in order to assess the effect of DNSSEC on security and reliability in the Internet. Extensive tests shall help to exclude at an early stage potential risks that may occur with productive DNSSEC operation and test market acceptance of the tool.
If you have any questions please contact:
DENIC eG
Public Relations
Stefanie Welters
Fon: +49 69 27235-274
Email: mailto:presse@denic.de