BIT signs reverse DNS zones

"Because we can"

Since the summer, internet service provider BIT has been signing not only domain names, but also reverse domain names (rDNS) for its customers. In other words, digital signatures (RRSIG records) are being attached when IP addresses (both IPv4 and IPv6) are translated back into host names.

Existing PowerDNS system

"We've signed all the IP ranges that we own, declares Sander Smeenk", BIT's Head System Manager. "Reverse DNS signing is much the same as forward DNS signing. We simply use our existing PowerDNS system to sign the reverse records."

"The one difference is that our public KSK (DS record) has to be deposited with RIPE NCC, the organisation responsible for the IP address space in Greater Europe and West Asia. They don't have an EPP portal for that kind of transaction, so we used their auto-dbm mail robot to deposit the key."

Customers who do their own reverse DNS management — in other words, those to whom BIT has delegated the DNS management of the address blocks that they use — can register their DNSKEY records with BIT. The ISP then adds them to the superordinate reverse zone, thus completing the cryptographic chain of trust.

"Because we can"

BIT didn't have a specific incentive for enabling DNSSEC on its reverse DNS. "We're comfortable with the technology and we have confidence in our production line", says Smeenk. "We're doing it because we can."

Marco Davids, Researcher at SIDN Labs, sees DNSSEC as less urgent for reverse DNS than for forward DNS. "The attack vectors on reverse DNS are much smaller. But there's certainly no harm in what BIT is doing: every little helps where DNS security is concerned. BIT's decision to enable DNSSEC on their reverse DNS shows that they are completely at home with the technology. DNSSEC is now becoming a standard feature of the DNS."


  • Monday 23 July 2018

    Internet security

    Beware: stand-ins and holiday temps targeted by cybercrooks


    Summer holiday period now in full swing

    Read more
  • Wednesday 17 April 2019

    About SIDN

    SIDN Labs researcher awarded doctorate for phishing study


    Elmer Lastdrager, research engineer SIDN Labs, spent six years studying various aspects of phishing. On 9 February, Lastdrager will be awarded a doctorate for his work.

    Read more
  • Monday 26 February 2018

    SIDN Labs

    Keep ‘m rolling: monitoring .se’s DNSSEC algorithm rollover

    Rolling DNSSEC keys is a critical operation

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.