SIDN, which looks after the .nl zone and ENUM NL, has this evening successfully signed the .nl zone with DNSSEC. Signing the zone is the first step towards a large-scale roll-out of DNSSEC (DNS Security Extensions) within .nl. DNSSEC is an extension to the existing DNS (Domain Name System), which makes it possible for service providers to check whether the DNS information that they receive is trustworthy.
Its introduction will mean that the .nl domain – already one of the safest anywhere and the world’s third-biggest country-code domain – is an even more secure environment for internet users.
DNSSEC
The existing DNS protocol contains a number of vulnerabilities that mean it is not secure against threats such as cache poisoning and ‘man-in-the-middle’ attacks by unidentified parties. With DNSSEC, DNS servers – computers that are asked for ‘directions’ in the context of everyday internet use – need to attach ‘digital signatures’ to their responses. So – provided that an internet user’s ISP is working with a DNSSEC-enabled resolver – the user can be sure that incoming DNS information is trustworthy. This is important, because falsified DNS data can be used to direct internet users to fake websites or to divert e-mail into the wrong hands. DNSSEC resolves such problems and therefore increases the reliability of the DNS. However, it is not a security panacea. DNSSEC cannot prevent typo squatting or phishing, for example, and internet users should always remain alert to the possibility of abuse.
Signing
Signing a zone means attaching a digital signature to the DNS records in a zone file – in this case, the .nl zone file. The process involves adding new records to the file (the signatures and a public key, for example), so that the authenticity and the integrity of the data can be verified by resolvers. Within a couple of weeks the public key of the .nl zone will be published in the root and from that moment on is validation by DNSSEC enabled resolvers possible. The largest part of the DNS queries is done by resolvers from ISPs, but almost no ISP has yet enabled DNSSEC validation. Through the dnssec.nl platform SIDN is working with the ISPs to promote implementation.
Early October, SIDN will be offering registrants who have experience of using DNSSEC the opportunity to provide ‘trust anchors’ for their domain names. The small number of anchors involved will then be added to the .nl zone file by SIDN. This Friends and Fans Programme will continue until it is possible to secure all .nl domain names using DNSSEC. SIDN intends to pursue the gradual further rollout of DNSSEC with a view to guaranteeing the availability of the .nl zone. The whole process should be complete before the end of 2011.
Strategy
Roelof Meijer, SIDN’s CEO: ‘In December 2009, we announced that we would sign the .nl zone a month after the internet’s root servers had been signed with DNSSEC. The .nl zone is a very big zone: there are over four million .nl domain names. So the introduction of DNSSEC shouldn’t be regarded as a sinecure. ICANN signed the root on 15 July, so, by following suit with .nl now, we have acted exactly when we said we would. After .org, ours is the second biggest zone to successfully implement DNSSEC. We waited until the root had been signed before going ahead, so that no interim solutions were needed and we could sign the entire chain in one go. We felt that this was the most efficient and secure way of bringing DNSSEC to the .nl zone. The implementation of DNSSEC is in line with our strategy of making .nl the most secure internet domain there is and with our determination to play a lead role in ongoing development of the DNS.'