DENIC eG, eco and BSI Start Initiative to Extend Security in the Domain Name System
Köln, Frankfurt, Bonn, 13 May 2009 – Already when entering an Internet address in a web browser, Internet users run the risk of being redirected to a fraudulent site. Improved security tools in the Domain Name System (DNS) are intended to close these security holes, which have publicized by the Kaminsky report and thus make manipulation more difficult. DENIC eG, the Association of the German Internet Economy (eco), and the Federal Agency for Security in Information Technology (BSI) have launched a joint initiative to tackle the problem. DENIC has provided a test environment for collecting and reviewing operative and technical experiences in order to assess the impact the Domain Name Security Extensions (DNSSEC) have on the reliability in the Internet.
"The procedure offers great opportunities, however, it also requires comprehensive changes on all levels of the Domain Name System", says Harald A. Summa, Managing Director of the eco federation. "Therefore it is essential to know that the tool is reliable and secure before introducing it on a large scale." Sabine Dolderer, CEO of DENIC eG, shares this opinion: "We are happy that we can test the procedure extensively with broad support from the industry and the users. This will help rule out potential risks of DNSSEC during operation at an early stage and determine the degree of acceptance by the users." Therefore, DNSSEC will be tested in an environment very similar to the production environment in order to identify problems and to find suited solutions. Dr. Hartmut Isselhorst, head of the responsible department at the BSI, welcomes these tests: "We consider the introduction of DNSSEC an indispensable means of enhancing security on the Internet, even in an international context. We will introduce DNSSEC to the networks of public administrations in Germany once the necessary tests have been completed successfully."
The initiators invite all interested providers and users to the DENIC premises in Frankfurt on 2 July 2009 to witness the launching of the test phase. Additional information on the first meeting can be found at http://www.denic.de/domains/dnssec/dnssectestbed.html.
The Domain Name System (DNS) converts the domain entered by the user into an IP address that can be processed by the computer. So the DNS can be called the telephone directory of the Internet. At present, the transfer of the DNS information – i.e. the resolution of the domain into the corresponding IP address – is not encrypted. This situation provides possibilities for altering the resolving name servers en route or by cache poisoning and to redirecting the user to manipulated sites. DNSSEC applies a digital signature to the name server records and thus ensures that the information will reach the user without any alterations. In addition to that, the sender of the information can be reliably authenticated. The procedure cannot prevent, however, that false information is signed or that the user is misled on a higher level.
In July 2008, the Kaminsky Report (http://www.doxpara.com/DMK_BO2K8.ppt) reported about vulnerable aspects of the Domain Name System (DNS), which enable forging the records stored in the cache of a DNS server. In doing so, the attacker can gain control over the name resolution of specific hosts or domains and can use this as a basis for further attacks.
eco (www.eco.de) is the Association of the German Internet Economy. It was founded more than ten years ago. Its over 400 member companies employ a total of about 300,000 people and produce an annual turnover of approximately 75 billion euros. The approximately 230 backbones of the German Internet are represented in the eco federation, and eco regards itself as the lobby of the German Internet economy vis-à-vis the government and in international bodies. Being a network of experts, eco deals with topical subjects concerning Internet law, infrastructure, online services and e-business.
DENIC (www.denic.de) is the central registry for the Top Level Domain .de and responsible for the operation of the TLD's name servers. Through its work, it creates the foundation for German Internet pages and e-mail addresses to be accessible throughout the world. Administering 12.7 million domains, DENIC is operating the second largest ccTLD worldwide. DENIC is a private-sector company with the legal form of a registered cooperative. The over 260 DENIC members are IT businesses based in Germany and elsewhere.
About the BSI
The Federal Agency for Security in Information Technology (www.bsi.bund.de) is an authority under the leadership of the Federal Ministry of the Interior. As Germany’s National Information Security Authority at federal level, the BSI is responsible for promoting information security in Germany. Its information services and products are aimed at the users and manufacturers of information technology products, primarily the public administrations at federal, state and municipal level, in addition to companies and private users.
For further information contact:
eco Verband der deutschen Internetwirtschaft e.V., Lichtstr. 43h, 50825 Cologne, Katrin Mallener, phone: 0221/700048-260, e-mail: email@example.com, Web: www.eco.de
DENIC eG, Kaiserstr. 75-77, 60329 Frankfurt, Andreas Hölting, phone: +49 69 27 235 274, e-mail: firstname.lastname@example.org, Web: www.denic.de
Bundesamt für Sicherheit in der Informationstechnik (BSI), Postfach 20 03 63, 53133 Bonn, Matthias Gärtner , phone: +49 228 99 9582-5850, e-mail: email@example.com, Internet: www.bsi.bund.de
60329 Frankfurt am Main
phone: +49 69 27235-274
Fax: +49 69 27235-235
Data according to § 25a (1) of the German Cooperatives Act (GenG):
DENIC Domain Verwaltungs- und Betriebsgesellschaft eG (Sitz: Frankfurt am Main)
Executive Board: Sabine Dolderer, Marcus Schäfer, Carsten Schiefner, Dr. Jörg Schweiger
Chairperson of the Supervisory Board: Elmar Knipp
Registered under No. 770 in the public register of cooperatives, local court (Amtsgericht) Frankfurt am Main