Yes to Secure Internet! - DNSSEC Is Coming for .de
DNSSEC Testbed Concluded Successfully - Launch of Extended DNS Protocol Scheduled for 31 May 2011
Apart from verifying technical feasibility, the testbed addressed a large variety of issues all around DNSSEC. To make such a broad approach possible particular attention was paid to designing the testbed appropriately for all stakeholders, from Internet service providers (ISP) to end product vendors, being involved. It was just this cooperative approach which proved a success factor. In close cooperation, the testbed participants quickly identified problems, worked out solutions and developed new processes. To give just one example, the DENIC registry interface was extended so that real-time registration of key material became possible. The results of the DNSSEC testbed, like the extension of the NAme Server Testers (NAST), have already been incorporated in everyday working practice. You will find further information about the extension of the NAme Server Testers (NAST) and the DNSSEC testbed in general on the DENIC website at http://www.denic.de/en/domains/dnssec.html. DENIC is planning to launch DNSSEC on 31 May 2011. This will give registrars, ISPs and users sufficient lead time to prepare the launch and thus to ensure reliable application of the extended DNS protocol.
The Domain Name System (DNS) converts the domain entered by the user into an IP address that can be processed by the computer. So the DNS can be called the telephone directory of the Internet. At present, the transfer of the DNS information - i.e. the resolution of the domain into the corresponding IP address - is not encrypted. This situation provides possibilities for altering the resolving name servers en route or by cache poisoning and to redirecting the user to manipulated sites. DNSSEC applies a digital signature to the name server records and thus ensures that the information will reach the user without any alterations. In addition to that, the sender of the information can be reliably authenticated. The procedure cannot prevent, however, that false information is signed or that the user is misled on a higher level.
In July 2008, the Kaminsky Report (www.doxpara.com/DMK_BO2K8.ppt) reported about vulnerable aspects of the Domain Name System (DNS), which enable forging the records stored in the cache of a DNS server. In doing so, the attacker can gain control over the name resolution of specific hosts or domains and can use this as a basis for further attacks.
About DENIC eG
As the central registry, DENIC administers the now more than 14 million domains under the Top Level Domain .de and thus provides a crucial resource for users of the Internet. It sees its role as that of a competent, impartial provider of services for all domain holders and Internet users. With more than 120 employees, DENIC creates the foundation through its work for German Internet pages and e-mail addresses to be accessible throughout the world. The about 270 members of the Cooperative are IT or telecommunications businesses based in Germany and elsewhere. Working in cooperation with them and other partners, DENIC is committed to guarantee the secure operation of the Internet and its further worldwide development as a not-for-profit organization.
It operates the automatic electronic registration system for its members, runs the domain database for the Top Level Domain .de and the German ENUM domain (.9.4.e164.arpa), manages the name server services for the .de zone at currently 15 locations distributed throughout the world, and renders a considerable contribution to the further organizational and technical development of the Internet in cooperation with international bodies (e.g. ICANN, CENTR, IETF).