DNSSEC Testbed

The launch of DNSSEC for the .de zone

The introduction of DNSSEC in the .de zone followed the DURZ procedure applied for the root zone. The DUdeZ (deliberately unvalidatable DE zone) was equipped with DS records based on the Key Signing Keys (KSKs) stored in the registration system and also was fully signed in all other respects. However, the DNSKEY-RRs were replaced with DNSKEY-RRs with identical key tags which explicitly rejected validation. All the 16 name server locations of DENIC were incrementally provided with this data.

For internal reasons of procedure consistency DENIC had already published the DS records of the Key Signing Keys of second level domains registered by that date for a brief interim period in the undesigned .de zone and later also within the scope of DUdeZ. About 180 participants of the test phase preceding the launch, the so-called DNSSEC testbed, were concerned. These records could not actually be used because they were not signed. However, they could not do any harm either since common validating resolvers only query DS records if they expect the query to be successful.

On 31 May 2011 – the official launch date of DNSSEC – the DNSKEY-RR set was published and the DS-RR was sent to IANA. This DS-RR was first published in the root zone on 7 June 2011. Since then .de domains can be validated.

DNSSEC Testbed for Germany

DNSSEC Testbed for Germany

In June 2009, DENIC launched a joint testbed for the Domain Name Security Extensions (DNSSEC) together with the Federal Agency for Security in Information Technology (BSI) and the Association of the German Internet Economy eco e.V. in order to evaluate the potential effects of DNSSEC if introduced for .de domains. The purpose of DNSSEC is to close security holes in the Internet, such as cache poisoning, DNS redirection and DNS spoofing. Testbed participants had the opportunity to gain technical and operational experience in a test environment and to find out the impacts DNSSEC was going to have on security and reliability on the Internet. The project goal was to rule out operational risks of DNSSEC at an early stage and to find out about user acceptance.

DNSSEC testbed meetings

On 2 July 2009, the Initial DNSSEC Testbed Meeting was held for all active participants and interested parties.

The 2nd DNSSEC Testbed Meeting on 26 January 2010 focused on first experiences with the signed .de zone.

At the 3rd DNSSEC Testbed Meeting on 16 June 2010, reports from the practice were the central topic.

At the 4th DNSSEC Testbed Meeting, the focus had clearly shifted to tools and emerging services in the DNSSEC environment and offered producers the opportunity to present their products.

The 5th DNSSEC Testbed Meeting on 8 February 2011 marked the end of the test phase. The official final testbed report was presented, and the launch of DNSSEC was announced for 31 May 2011.

The testbed infrastructure was maintained until July 2011, when it was finally shut down.

For details about the project implementation refer to the project roadmap.