DNSSEC Testbed for Germany
In June 2009, DENIC launched a joint testbed for the Domain Name Security Extensions (DNSSEC) together with the Federal Agency for Security in Information Technology (BSI) (now: Federal Office for Information Security) and the Association of the German Internet Economy eco e.V. (now: eco - Association of the Internet Industry) in order to evaluate the potential effects of DNSSEC if introduced for .de domains. The purpose of DNSSEC is to close security holes in the Internet, such as cache poisoning, DNS redirection and DNS spoofing. Testbed participants had the opportunity to gain technical and operational experience in a test environment and to find out the impacts DNSSEC was going to have on security and reliability on the Internet. The project goal was to rule out operational risks of DNSSEC at an early stage and to find out about user acceptance. The testbed infrastructure was maintained until July 2011, when it was finally shut down.
DNSSEC Testbed Meetings
Final Meeting Will Take Stock
The fifths and last DNSSEC testbed meeting was held on 8 February 2011. With this meeting, the DNSSEC testbed initiated by the Federal Agency for Security in Information Technology (BSI), the Association of the German Internet Economy (eco) and DENIC was concluded.
The testbed offered the opportunity to collect operational and technical experience, to assess risks and to find out about user acceptance. The previous meetings informed in detail about these aspects and discussed and solved many pending questions. At the final meeting, the initiators gave a concise summary and DENIC presented its plans for implementing DNSSEC in the praxis. As starting date for DNSSEC the 31 May 2011 was announced.
DNSSEC Testbed Final Report
Presentations
Testbed: DNSSEC for DE - Final Report (in German)
Peter Koch / Marcos Sanz Grossón, DENIC eGDNSSEC Testbed: Conclusion (in German)
Dr. Lothar Eßer, BSIRegistrar Atlas 2011
Thomas Rickert, eco
Agenda
DNSSEC@DENIC: Current Status in the Testbed
Peter Koch / Marcos Sanz Grossón, DENIC eGExperience Report of a Testbed Participant
Andreas Schulze, DATEV eGDNSSEC in the Global Context: Current Status
Thorsten Dietrich, BSIValidation of DNSSEC under MS Windows
Carsten Strotmann, Men & MiceTools & Emerging Services all around DNSSEC:
- Nominum DNSSEC Packs – Ralf Weber, Nominum Inc.
- GSLB / Global Service Loadbalancing – Ralf Brünig, F5 Networks GmbH
- Nixu NameSurfer Suite – Jürgen Joswig & Toni Lampela, Nixu Ltd.
- Exanames – Kariem Hussein & Wolfgang Nagele, Exabit GmbH
- OpenDNSSEC – Carsten Strotmann, Men & Mice
- The Infoblox DNSSEC Solution – Dominic Stahl, Infoblox Inc.
Presentations
DNSSEC@DENIC: Current Status in the DNSSEC Testbed
Peter Koch / Marcos Sanz Grossón, DENIC eGDNSSEC in the Global Context: Current Status
Thorsten Dietrich, BSIDNSSEC-Validierung under MS Windows
Carsten Strotmann, Men & MiceNominum DNSSEC Packs
Ralf Weber, Nominum Inc.GSLB / Global Service Loadbalancing
Ralf Brünig, F5 Networks GmbHNixu NameSurfer Suite
Jürgen Joswig / Toni Lampela, Nixu Ltd.Exanames
Kariem Hussein / Wolfgang Nagele, Exabit GmbHOpenDNSSEC
Carsten Strotman, Men & MiceThe Infoblox DNSSEC Solution
Dominic Stahl, Infoblox Inc.
Live Videos of the Event
DNSSEC@DENIC: Current Status in the Testbed
Peter Koch / Marcos Sanz Grossón, DENIC eGExperience Report of a Testbed Participant
Andreas Schulze, DATEV eGDNSSEC in the Global Context: Current Status
Thorsten Dietrich, BSIDNSSEC-Validierung under MS Windows
Carsten Strotmann, Men & MiceNominum DNSSEC Packs
Ralf Weber, Nominum Inc.GSLB / Global Service Loadbalancing
Ralf Brünig, F5 Networks GmbHNixu NameSurfer Suite
Jürgen Joswig / Toni Lampela, Nixu Ltd.Exanames
Kariem Hussein / Wolfgang Nagele, Exabit GmbHOpenDNSSEC
Carsten Strotmann, Men & MiceThe Infoblox DNSSEC Solution
Dominic Stahl, Infoblox Inc.
Agenda
DNSSEC@DENIC: Testbed "Halftime"
Peter Koch / Marcos Sanz Grossón, DENIC eGParticipation in the Testbed and Measurements Relating to NSEC3: An Experience Report
Florian Obser, Hostserver GmbHDNSSEC in the Leibniz Data Center
Bernhard Schmidt, LRZ – The data center for Munich's universities and for the Bavarian Academy of Sciences)DNSSEC Introduction of "bund.de"
Thorsten Dietrich, Federal Agency for Security in Information TechnologyDNSSEC as a Safety Means within the FRITZ!Box Home Router Network
Martin Duzy, AVM GmbHSigning of the Root Zone: Finals have Begun
Peter Koch, DENIC eGDNSSEC@Earth: Seeing the "Big Picture"
Carsten Strotmann, Men & MiceSoftware Support for DNSSEC
Ralf Weber, Nominum Inc.DNSSEC from a Registrar's Point of View
Volker Janzen, InterNetX GmbHDomain Transfer with DNSSEC
Samuel Benz, SWITCH – Serving Swiss Universities
Presentations
DNSSEC@DENIC: Testbed "Halbzeit"
Peter Koch / Marcos Sanz Grossón, DENIC eGParticipation in the Testbed and Measurements Relating to NSEC3: An Experience Report
Florian Obser, Hostserver GmbHDNSSEC in the Leibniz-Rechenzentrum
Bernhard Schmidt, LRZ – Rechenzentrum der Münchener Hochschulen und ForschungseinrichtungenDNSSEC Introduction of "bund.de"
Thorsten Dietrich, Bundesamt für Sicherheit in der InformationstechnikDNSSEC as a Safety Means within the FRITZ!Box Home Router Network
Martin Duzy / Jan Schöllhammer, AVM GmbHSigning of the Root Zone: Finals have Begun
(Link to Information Website Root DNSSEC by ICANN and VeriSign)
Peter Koch, DENIC eGDNSSEC@Earth: Seeing the "Big Picture"
Carsten Strotmann, Men & MiceSoftware Support for DNSSEC
Ralf Weber, Nominum Inc.DNSSEC from a Registrar's Point of View
Volker Janzen, InterNetX GmbHDomain Transfer with DNSSEC
Samuel Benz, SWITCH – Serving Swiss Universities
Live Videos of the Event
DNSSEC@DENIC: Testbed "Halftime"
Peter Koch / Marcos Sanz Grossón, DENIC eGParticipation in the Testbed and Measurements Relating to NSEC3: An Experience Report
Florian Obser, Hostserver GmbHDNSSEC in the Leibniz-Rechenzentrum
Bernhard Schmidt, LRZ – Rechenzentrum der Münchener Hochschulen und ForschungseinrichtungenDNSSEC Introduction of "bund.de"
Thorsten Dietrich, Bundesamt für Sicherheit in der InformationstechnikDNSSEC as a Safety Means within the FRITZ!Box Home Router Network
Martin Duzy / Jan Schöllhammer, AVM GmbHSigning of the Root Zone: Finals have Begun
Peter Koch, DENIC eGDNSSEC@Earth: Seeing the "Big Picture"
Carsten Strotmann, Men & MiceSoftware Support for DNSSEC
Ralf Weber, Nominum Inc.DNSSEC from a Registrar's Point of View
Volker Janzen, InterNetX GmbHDomain-Transfer with DNSSEC
Samuel Benz, SWITCH – Serving Swiss Universities
Agenda
Introduction and current status of DNSSEC (optional)
Peter Koch, DENICWelcome
Sabine Dolderer, DENICPresentation of the DNSSEC testbed at DENIC
Peter Koch / Marcos Sanz Grossón, DENICAround the world with DNSSEC: The status in other TLDs
Hans Peter Dittler, BRAINTEC Netzwerk-ConsultingDNSSEC in Switzerland: Initial experiences in productive operation
Samuel Benz, SWITCHDNSSEC support via home routers
Thorsten Dietrich, BSISigning the root zone
Wolfgang Nagele, RIPE NCCDNSSEC zone management with the open source tool ZKT
Holger Zuleger, HZNET
Presentations
Introduction to the DNSSEC testbed by DENIC (in German)
Peter Koch / Marcos Sanz Grossón, DENIC eGWith DNSSEC around the world: The status in other TLDs (in German)
Hans Peter Dittler, Braintec-Netzwerk-ConsultingDNSSEC in Sweden: Five Years' Practical Experience
Anne-Marie Eklund Löwinder, .SEDNSSEC in Switzerland: First experiences with productive operation
Samuel Benz, SWITCHDNSSEC support by home routers (in German)
Thorsten Dietrich, BSISigning of the root zone
Wolfgang Nagele, RIPE NCCDNSSEC zone administration via the open source tool ZKT
Holger Zuleger, HZNET
Live Videos of the Event
Introduction to the DNSSEC testbed by DENIC (in German)
Peter Koch / Marcos Sanz Grossón, DENICWith DNSSEC around the world: The status in other TLDs (in German)
Hans Peter Dittler, BRAINTEC Netzwerk-ConsultingDNSSEC support by home routers (in German)
Thorsten Dietrich, BSISigning of the root zone
Wolfgang Nagele, RIPE NCCDNSSEC zone administration via the open source tool ZKT (in German)
Holger Zuleger, HZNET
Agenda
Welcome address
BSIPresentation of the project and schedule
Sabine DoldererBackground and introduction to DNSSEC
Hans Peter DittlerDNSSEC for .de – Presentation of the test environment and setup
Dr Jörg SchweigerDNSSEC for an ISP/registrar – What does an ISP/registrar need to do to make its infrastructure DNSSEC-ready and participate in the testbed
Ralf Weber, COLTDNSSEC for network access devices – To what extent do access software/routers already support DNSSEC? Presentation of study
BSIDiscussion and Q&A session on the topic of DNSSEC testbed for .de
moderator: Thomas Rickert
Presentations
The DNSSEC Testbed (in German only)
Sabine Dolderer, DENIC eGBackground and introduction DNSSEC (in German only)
Hans Peter Dittler, BRAINTECNetzwerk-ConsultingGmbHThe DNSSEC Testbed by DENIC (in German only)
Jörg Schweiger, DENIC eGDNSSEC for Internet Service Provider (in German only)
Ralf Weber, COLT Telecom GmbHDNSSEC - Broadband Routers and Firewalls (in German only)
Thorsten Dietrich, Bundesamt für Sicherheit in der Informationstechnik
Introduction of DNSSEC for the .de zone
The introduction of DNSSEC for the .de zone was based on the DURZ procedure for the root zone. The DUdeZ (deliberately unvalidatable DE zone) contained DS records based on the key signing keys (KSKs) stored in the registration system and was also fully signed in all other respects. However, the DNSKEY RRs were replaced by those with the same key tag that explicitly did not allow validation. This data was gradually supplied to the 16 name server locations.
For reasons of internal consistency of processes, DENIC had already published the DS records for the key signing keys of second-level domains registered to date in the unsigned .de zone for a short transition period and then as part of the DUdeZ. This affected approximately 180 participants in the test phase preceding the introduction, known as the DNSSEC testbed. These records were unusable because they were not signed, but otherwise harmless, as the common validating resolvers only make requests for DS records if there is a prospect of success.
On 31 May 2011 – the official launch date of DNSSEC – the DNSKEY RRSet was published and the DS RR was sent to IANA. This DS RR appeared in the root zone for the first time on 7 June 2011. Since then, it has been possible to validate .de domains.