German Top Level Domain Now DNSSEC Frontrunner
.de Has the Most DNSSEC-Signed Second Level Domains in the World
Already today more than 200,000 .de domains are signed with DNSSEC - i.e. the data provided by the DNS can now be checked for authenticity. This makes .de the Top Level Domain with the largest number of signed Second Level Domains worldwide.
The background to this is that DENIC offers the possibility to store authoritative data directly in the .de zone. Like the Second Level Domains delegated with own key material, these data have been signed since 31 May 2011 and can now be checked by means of a validating resolver with standard configuration. Part of this configuration is the so-called trust anchor for the root zone (https://www.iana.org/dnssec/). Configuring a trust anchor for .de in addition to the one used for the root zone still remains unnecessary and is not recommended.
Caching mechanisms in the DNS generally have the effect that new data are not visible immediately everywhere on the Internet. Operators of validating resolvers who want to validate .de domains as soon as possible may want to restart their resolver processes. This will empty the cache and accelerate the process of getting ready for validation.
With validation now available, the DNSSEC testbed infrastructure has fulfilled its purpose. As already announced, it will be continued until end of July 2011.
You will find detailed information about DNSSEC on our website at http://www.denic.de/....
Domain Name System Security Extensions (DNSSEC) are extensions of the DNS (Domain Name System) which have the purpose to close security holes in the Internet, such as cache poisoning and DNS spoofing.
DNSSEC provides security by data origin authentication, i.e. by securing the path between the DNS servers and the validating DNS clients, with intermediate resolvers and their caches being included in the security perimeter. The signature which was applied reveals if the data were actually generated by a source entitled to do so. At the same time, securing data integrity protects against DNS data that was manipulated on the way. However, DNSSEC does not warrant the correctness of the initially stored data. Neither will it protect against domain hijacking or manipulations during the registration process.
DNSSEC verifies DNS replies by means of cryptographically secured signatures. These signatures are computed from the DNS data to be protected and are transferred to the client together with the data. Response verification is executed in the client or in the upstream resolver by means of a check against the public keys valid for the respective zone. These keys, in turn, are easily stored in and retrieved from the DNS. This procedure itself is secured by DNSSEC and is thus not subject to the aforementioned security threats; only the key required to start the chain of trust (i.e. the key of the root zone) is permanently stored in the client or its configuration data.
DNSSEC is one component to make operation of the DNS - a crucial aspect of the Internet - more secure by protecting the DNS against data manipulation and spoofing.
As the central registry, DENIC administers the now more than 14 million domains under the Top Level Domain .de and thus provides a crucial resource for users of the Internet. It sees its role as that of a competent, impartial provider of services for all domain holders and Internet users. With more than 120 employees, DENIC creates the foundation through its work for German Internet pages and e-mail addresses to be accessible throughout the world. The about 270 members of the Cooperative are IT or telecommunications businesses based in Germany and elsewhere. Working in cooperation with them and other partners, DENIC is committed to guarantee the secure operation of the Internet and its further worldwide development as a not-for-profit organization.
It operates the automatic electronic registration system for its members, runs the domain database for the Top Level Domain .de and the German ENUM domain (.9.4.e164.arpa), manages the name server services for the .de zone at currently 16 locations distributed throughout the world, and renders a considerable contribution to the further organizational and technical development of the Internet in cooperation with international bodies (e.g. ICANN, CENTR, IETF).