DNSSEC

DNSSEC

The .de DNSSEC Testbed

Together with BSI and eco DENIC has launched a testbed for the Domain Name Security Extensions (DNSSEC) to evaluate the introduction of DNSSEC for .de domains. The purpose of DNSSEC is to close security holes in the Internet, such as cache poisoning, DNS redirection and DNS spoofing. DENIC has provided a test environment for collecting and reviewing operational and technical experiences in order to assess the impact the DNSSEC will have on security and reliability in the Internet. The target of the project is to test the procedure extensively in order to rule out at an early date potential risks faced when operating DNSSEC and to test user acceptance. On 2 July 2009, the Initial Meeting was held for all active participants and everybody interested in the topic. The 2nd DNSSEC Testbed Meeting on 26 January 2010 focused on first experiences made with the signed .de zone. At the 3rd DNSSEC testbed meeting on 16 June 2010 reports from the practice were in the center of attention.

What's going on now and what will happen next?

Since 2 March 2010 DENIC also enables second level domains under .de to participate in the DNSSEC testbed and to record the related key material. In this process, DENIC initially registers the Key Signing Keys used as Trust Anchor, and then publishes the corresponding DS records in the .de zone accessible in the testbed. Thus participants in the testbed will now also receive DNSSEC-secured responses for the second level domains involved. In January 2010, the signed version of the .de zone was made available in the DNSSEC testbed environment. Thus, the separate infrastructure, previously used exclusively to find out if parallel operation of a productive and a test environment is feasible, can also be used for productive DNSSEC traffic. DENIC will sign the respective current .de zone version of the production environment once a day and make it available in the DNSSEC testbed environment for DNS queries. The two name server clusters in Frankfurt and Amsterdam will answer DNS queries including DNSSEC data as authoritative and non-recursive name servers.

We have compiled information and examples regarding the Resolver Configurations for all participants of the testbed.

You will find further details in the Status section. For a list of all other dates go to our Roadmap. To keep up-to-date about the project steps and its progress and to exchange experiences and opinions about the testbed, subscribe to the DNSSEC Testbed Mailing List DENIC has established as a communication platform.

How to participate in the DNSSEC testbed

As in domain registration and administration, the Key Signing Key is registered by the Internet service provider or domain registrar who administers the domain. Thus, interested domain holders are requested to contact their providers directly and to consult them about their personal options for using DNSSEC. To be able to participate in the testbed, domain holders must use a DNSSEC-capable name server software for their domain. This is an essential prerequisite. At the present moment, the implementation is primarily suited for domain holders who operate their own name servers.

Status

Here, you will find detailed information about the current progress stage of the project, a list of the milestones and technical information about the testbed.

Project Survey

Here, you will find general information about the DNSSEC testbed, ranging from explanations about the testbed objective up to information about the events held until the respective date.

Background Information

Here, we have compiled detailed information and documents all around DNSSEC and the DNSSEC testbed, which will give you an in-depth insight in the topic.

Technical Documentations

In the future, you will find here a summary of all technical details and an FAQ section with answers to the most frequently asked questions.