• Sunday 8 April 2018 Knowledge bank

    Root zone rollover has implications for DNSSEC operators

    19 January 2017 In autumn 2017, ICANN initiated the rollover of the (KSK) pair for the root zone. The rollover involves renewing (i.e. replacing) the root zone's cryptographic key pair, which underpins the entire DNSSEC infrastructure. Renewing the key pair entails significant risk. Although it is very unlikely that anything will go wrong, an error could potentially render all internet domains (including non-signed domains) unreachable for all users and applications that rely on validating resolvers. The situation is similar at the local level. Validating resolver operators need to first add the new (public) key to the trust anchors on their servers, and subsequently remove the old key from their systems. If an operator fails to act, it won't be possible to validate any digital signatures beneath the top-level domains (TLDs) in the root zone. Then all internet domains will become unreachable for everyone relying on the resolver in question. RFC 5011 sets out a protocol for automatically installing the new (public) key as a trust anchor. The developers of the most widely used validating resolvers — BIND named, Unbound and OpenDNSSEC — all say that their software supports the protocol. The very dated Infoblox appliances don't support RFC 5011, meaning that Infoblox users face a fresh set of problems.

    Afbeelding van Root zone rollover has implications for DNSSEC operators
    Read more
  • Wednesday 11 April 2018 Knowledge bank

    EPP 'key relay': a structural solution for the DNSSEC transfer problem

    Autumn 2013 This summer, a structural solution for the transfer of DNSSEC-enabled domains became available. SIDN's EPP interface has been extended to support a new 'key relay' command, meaning that a domain can now be transferred without interrupting its secure status. What's more, the transaction can be fully automated. Registrars and software providers can incorporate the new functionality into their own dashboards and interfaces thus make it available to their own users. A significant obstacle to further DNSSEC adoption has therefore been removed.

    Afbeelding van EPP 'key relay': a structural solution for the DNSSEC transfer problem
    Read more
  • Thursday 11 October 2018 Internet security

    Is your business hack-proof?

    Take the test!

    Afbeelding van Is your business hack-proof?
    Read more