DNSSEC Testbed Concluded Successfully – Launch of Extended DNS Protocol Scheduled for 31 May 2011

DNSSEC (Domain Name Security Extensions) shall improve security for .de domains too in the future. This is the result of the broad-based test phase that ended with today's concluding meeting. "DNSSEC has successfully passed the operative phase in the testbed," says DENIC's CEO, Sabine Dolderer. Thus DENIC will launch DNSSEC on 31 May 2011. "I am confident that this is another important step towards security on the Internet," so Sabine Dolderer in the DENIC head office in Frankfurt. What precisely shall be avoided by DNSSEC? The redirection of users to websites they did not intend to visit, the reading of data by unauthorized third parties, and the manipulation of contents. The testbed was launched jointly by DENIC, the Association of the German Internet Economy eco e.V. and the Federal Agency for Security in Information Technology (BSI) and ran from July 2009 to December 2010.

Close Cooperation

Apart from verifying technical feasibility, the testbed addressed a large variety of issues all around DNSSEC. To make such a broad approach possible particular attention was paid to designing the testbed appropriately for all stakeholders, from Internet service providers (ISP) to end product vendors, being involved. It was just this cooperative approach which proved a success factor. In close cooperation, the testbed participants quickly identified problems, worked out solutions and developed new processes. To give just one example, the DENIC registry interface was extended so that real-time registration of key material became possible. The results of the DNSSEC testbed, like the extension of the NAme Server Testers (NAST), have already been incorporated in everyday working practice. You will find further information about the extension of the NAme Server Testers (NAST) and the DNSSEC testbed in general on the DENIC website at http://www.denic.de/en/domains/dnssec.html. DENIC is planning to launch DNSSEC on 31 May  2011. This will give registrars, ISPs and users sufficient lead time to prepare the launch and thus to ensure reliable application of the extended DNS protocol.

Background information:

About DNSSEC

The Domain Name System (DNS) converts the domain entered by the user into an IP address that can be processed by the computer. So the DNS can be called the telephone directory of the Internet. At present, the transfer of the DNS information – i.e. the resolution of the domain into the corresponding IP address – is not encrypted. This situation provides possibilities for altering the resolving name servers en route or by cache poisoning and to redirecting the user to manipulated sites. DNSSEC applies a digital signature to the name server records and thus ensures that the information will reach the user without any alterations. In addition to that, the sender of the information can be reliably authenticated. The procedure cannot prevent, however, that false information is signed or that the user is misled on a higher level.
In July 2008, the Kaminsky Report (www.doxpara.com/DMK_BO2K8.ppt) reported about vulnerable aspects of the Domain Name System (DNS), which enable forging the records stored in the cache of a DNS server. In doing so, the attacker can gain control over the name resolution of specific hosts or domains and can use this as a basis for further attacks.

About DENIC eG

As the central registry, DENIC administers the now more than 14 million domains under the Top Level Domain .de and thus provides a crucial resource for users of the Internet. It sees its role as that of a competent, impartial provider of services for all domain holders and Internet users. With more than 120 employees, DENIC creates the foundation through its work for German Internet pages and e-mail ad-dresses to be accessible throughout the world. The about 270 members of the Cooperative are IT or telecommunications businesses based in Germany and elsewhere. Working in cooperation with them and other partners, DENIC is committed to guarantee the secure operation of the Internet and its further worldwide development as a not-for-profit organization.

It operates the automatic electronic registration system for its members, runs the domain database for the Top Level Domain .de and the German ENUM domain (.9.4.e164.arpa), manages the name server services for the .de zone at currently 15 locations distributed throughout the world, and renders a con-siderable contribution to the further organizational and technical development of the Internet in coopera-tion with international bodies (e.g. ICANN, CENTR, IETF).

For further information please contact:

DENIC eG
Public Relations
Fon: +49 69 27235-274
E-Mail: mailto:presse@denic.de