BIT signs reverse DNS zones

"Because we can"

Since the summer, internet service provider BIT has been signing not only domain names, but also reverse domain names (rDNS) for its customers. In other words, digital signatures (RRSIG records) are being attached when IP addresses (both IPv4 and IPv6) are translated back into host names.

Existing PowerDNS system

"We've signed all the IP ranges that we own, declares Sander Smeenk", BIT's Head System Manager. "Reverse DNS signing is much the same as forward DNS signing. We simply use our existing PowerDNS system to sign the reverse records."

"The one difference is that our public KSK (DS record) has to be deposited with RIPE NCC, the organisation responsible for the IP address space in Greater Europe and West Asia. They don't have an EPP portal for that kind of transaction, so we used their auto-dbm mail robot to deposit the key."

Customers who do their own reverse DNS management — in other words, those to whom BIT has delegated the DNS management of the address blocks that they use — can register their DNSKEY records with BIT. The ISP then adds them to the superordinate reverse zone, thus completing the cryptographic chain of trust.

"Because we can"

BIT didn't have a specific incentive for enabling DNSSEC on its reverse DNS. "We're comfortable with the technology and we have confidence in our production line", says Smeenk. "We're doing it because we can."

Marco Davids, Researcher at SIDN Labs, sees DNSSEC as less urgent for reverse DNS than for forward DNS. "The attack vectors on reverse DNS are much smaller. But there's certainly no harm in what BIT is doing: every little helps where DNS security is concerned. BIT's decision to enable DNSSEC on their reverse DNS shows that they are completely at home with the technology. DNSSEC is now becoming a standard feature of the DNS."

Comments

  • Tuesday 16 July 2019

    Internet security

    Travel organisations are the summer's preferred phishing target

    Phishing 520x520

    The holiday season has started

    Read more
  • Monday 18 December 2017

    Internet security

    Cybercriminals rake in nearly half a million dollars a day from advertising

    Thumb-hacker-enters-the-computer

    Another scam based on domain names that look like popular brands

    Read more
  • Thursday 11 October 2018

    About SIDN

    Come to SIDN Connect on 29 November

    Thumb-SIDN-Connect-KNVB

    Check out the full programme

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.