• Tuesday 1 November 2016 About SIDN

    Arjan Middelkoop joins the SIDN team as NMS Manager

    Adds impetus to our ambition.

    Afbeelding van Arjan Middelkoop joins the SIDN team as New business, Marketing & Sales Manager
    Read more
  • Monday 9 April 2018 Knowledge bank

    Support for secure transfer of signed domains now complete

    February 2014 Although DNSSEC was formally introduced to the Netherlands in 2012, the transfer of secure domains remained a problem for a long time. After all, when transferring a signed domain, the registrant will normally want to know that the domain will remain secure, not only after the new registrar takes control, but also while the transfer is in progress. A transfer protocol that made that possible was devised several years ago by Antoin Verschuren, Technical Advisor at SIDN, and has since been standardised by the IETF. However, the new transfer procedure required the receiving registrar and the releasing registrar to exchange key material: something that SIDN's registry interface didn't support at the time. Last year, a new EPP command was therefore developed: key relay. Now that PowerDNS — the most widely used DNS server for signed domains — officially supports the publication of external key material, the chain is complete. Signed domains can now be transferred between registrars securely and automatically. In the summer, Monshouwer became the first registrar to implement and use the entire transfer protocol.

    Afbeelding van Support for secure transfer of signed domains now complete
    Read more
  • Sunday 8 April 2018 Knowledge bank

    Root zone rollover has implications for DNSSEC operators

    19 January 2017 In autumn 2017, ICANN initiated the rollover of the (KSK) pair for the root zone. The rollover involves renewing (i.e. replacing) the root zone's cryptographic key pair, which underpins the entire DNSSEC infrastructure. Renewing the key pair entails significant risk. Although it is very unlikely that anything will go wrong, an error could potentially render all internet domains (including non-signed domains) unreachable for all users and applications that rely on validating resolvers. The situation is similar at the local level. Validating resolver operators need to first add the new (public) key to the trust anchors on their servers, and subsequently remove the old key from their systems. If an operator fails to act, it won't be possible to validate any digital signatures beneath the top-level domains (TLDs) in the root zone. Then all internet domains will become unreachable for everyone relying on the resolver in question. RFC 5011 sets out a protocol for automatically installing the new (public) key as a trust anchor. The developers of the most widely used validating resolvers — BIND named, Unbound and OpenDNSSEC — all say that their software supports the protocol. The very dated Infoblox appliances don't support RFC 5011, meaning that Infoblox users face a fresh set of problems.

    Afbeelding van Root zone rollover has implications for DNSSEC operators
    Read more