• Sunday 8 April 2018 Knowledge bank

    Root zone rollover has implications for DNSSEC operators

    19 January 2017 In autumn 2017, ICANN initiated the rollover of the (KSK) pair for the root zone. The rollover involves renewing (i.e. replacing) the root zone's cryptographic key pair, which underpins the entire DNSSEC infrastructure. Renewing the key pair entails significant risk. Although it is very unlikely that anything will go wrong, an error could potentially render all internet domains (including non-signed domains) unreachable for all users and applications that rely on validating resolvers. The situation is similar at the local level. Validating resolver operators need to first add the new (public) key to the trust anchors on their servers, and subsequently remove the old key from their systems. If an operator fails to act, it won't be possible to validate any digital signatures beneath the top-level domains (TLDs) in the root zone. Then all internet domains will become unreachable for everyone relying on the resolver in question. RFC 5011 sets out a protocol for automatically installing the new (public) key as a trust anchor. The developers of the most widely used validating resolvers — BIND named, Unbound and OpenDNSSEC — all say that their software supports the protocol. The very dated Infoblox appliances don't support RFC 5011, meaning that Infoblox users face a fresh set of problems.

    Afbeelding van Root zone rollover has implications for DNSSEC operators
    Read more
  • Friday 23 February 2018 Knowledge

    2017: a strong year for the European domain name market

    Growth in nearly all domains

    Afbeelding van 2017: a strong year for the European domain name market
    Read more
  • Monday 9 April 2018 Internet security

    DNSSEC signatures in BIND named

    Most operators who run their own DNS services use BIND named, the most widely used DNS server software outside the world of the big registrars. BIND named can function as an (authoritative) name server and/or as a (caching) resolver. This article looks at the signing of a zone on an authoritative name server. The configuration of named as a DNSSEC validating resolver is dealt with in a separate article. BIND's DNSSEC functionality has developed incrementally over the past few years, to become a mature feature of this DNS server software. Because of the incremental development, there are significant differences between successive (minor) versions. Where possible and relevant, this article indicates the version from which the features described are supported. That is important mainly for users of enterprise platforms, which for stability and security reasons tend not to use the most recent software versions. There will also be cases where an existing BIND software installation has been upgraded by the package management system of the operating system, but the configuration in use is still based on an older version. We nevertheless recommend using the most recent version of BIND that you can, if for no other reason than that each successive version has bug-fixes and security-fixes absent from the earlier versions.

    Afbeelding van DNSSEC signatures in BIND named
    Read more