DNSSEC
What is DNSSEC?
To reach another person on the Internet you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other.Without that coordination we wouldn't have one global Internet. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like www.nic.ir into the numbers – called Internet Protocol (IP) addresses.Recently vulnerabilities in the DNS were discovered that allow an attacker to hijack this process of looking some one up or looking a site up on the Internet using their name. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection.These vulnerabilities have increased interest in introducing a technology called DNS Security Extensions (DNSSEC) to secure this part of the Internet's infrastructure.
The questions and answers that follow are an attempt to explain what DNSSEC is and why its implementation is important.
DNSSEC is a technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.nic.ir). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall process. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.
Signing the root
by using DNSSEC adds a few more records per top level domain to the root zone file. What are added are a key and a signature attesting to the validity of that key.DNSSEC provides a validation path for records. It does not encrypt or change the management of data and is ‘backward compatible’ with the current DNS and applications. That means it doesn’t change the existing protocols upon which the Internet’s addressing system is based. It incorporates a chain of digital signatures into the DNS hierarchy with each level owning its own signature generating keys. This means that for a domain name like www.nic.ir each organization along the way must sign the key of the one below it. For example, .ir signs nic.ir’s key, and the root signs .ir’s key. During validation, DNSSEC follows this chain of trust up to the root automatically validating "child" keys with "parent" keys along the way. Since every key can be validated by the one above it, the only key needed to validate the whole domain name would be the top most parent or root key.
This hierarchy does mean however that, even with the root signed, full deployment of DNSSEC across all domain names will be a process that will take time since every domain below must also be signed by their respective operators to complete a particular chain of trust. Signing the root is just a start. But it is crucial. Recently TLD operators have accelerated their efforts to deploy DNSSEC on their zones (.se, .bg, .br, .cz, .pr do now with .gov, .uk, .ca and others coming) and others expect to as well
In DNSSEC, what are the KSK and ZSK?
KSK stands for Key Signing key (a long term key) and ZSK stands for Zone Signing Key (a short term key). Given sufficient time and data, cryptographic keys can eventually be compromised. In the case of the asymmetric or public key cryptography used in DNSSECv, this means an attacker determines, through brute force or other methods, the private half of the public-private key pair used to create the signatures attesting to the validity of DNS records. This allows him to defeat the protections afforded by DNSSEC. DNSSEC thwarts these compromise attempts by using a short term key – the zone signing key (ZSK) – to routinely compute signatures for the DNS records and a long term key – the key signing key (KSK) – to compute a signature on the ZSK to allow it to be validated. The ZSK is changed or rolled over frequently to make it difficult for the attacker to "guess" while the longer KSK is changed over a much longer time period (current best practices place this on the order of a year). Since the KSK signs the ZSK and the ZSK signs the DNS records, only the KSK is required to validate a DNS record in the zone. It is a sample of the KSK, in the form of a Delegation Signer (DS) record that is passed up to the "parent" zone. The parent zone (e.g. the root) signs the DS record of the child (e.g., .org) with their own ZSK that is signed by their own KSK.This means that if DNSSEC is fully adopted the KSK for the upper zone (such as root) would be part of the validation chain for every DNSSEC validated domain name (or yet to be developed application).
For more information please visit : http://en.wikipedia.org/wiki/Dnssec, http://www.dnssec.net
DNSSEC TestBed
IRNIC decides to run a TestBed in order to promote and train DNSSEC.- The following conditions will apply to this TestBed and all the experimental domains which will be registered during the period of the test.
- 1. The experimental period’s commencement is from Aug 30, 2009 and the end of the period will be Feb 26, 2010.
- 2. Registration of the domains will be free of charge and merely for experimental purposes, thus the registered domains may not be transferred in any ways to a third party and the domain registering center ** will not be held responsible for possible transferring of the domains.
- 3. The experimental domains will be registered under dnssec.ir
- 4. Noting that the acceptance or rejection of the requested domains is by the sole discretion of the registering organization, each user has the option to file for five domain names and the rejection of any will be deducted from the allocated quota of five domains.
- 5. The domain registering center reserves the right to suspend or entirely terminate the experimental domains.
- 6. After the ending of the experimental period the users will not have any claim over their experimental domains not even priority right for permanent registration and all rights are reserved for the registering organization.
- For setting up the chain of trust for resolving the names under DNSSEC the PUBLIC key of dnssec.ir (the key section of the following text) should be added to your resolver. If you are using BIND9 as your resolver the following text must be added into the Options section of your named.conf file.
trusted-keys {
"dnssec.ir." IN DNSKEY 257 3 5 "AwEAAZz0N4mQylmksechdvqmnZv3U7oqVrgLwV1QdHb8FKrto12FVKxR uRnA7JpHylByAtoBCEPq4GbVxjeuTBnVlmkc4eGiLQvQz5RgMTG9UhHe nIhDk5UDC+rH6jbc9KU2txOvjKp4CReBPgrrpK3SdncvvjcKVUpNiWsa 2oluSIvmg3cnlESUf89SwDrjQG+XhB/uCKolFvRcS55wlwvcmE+Bd/8A S4l0nb5f8MRxqKRFrwsiaWrwg4yBlDVdsReM0RvS2TIXvXEUgGNZNAon Ta7ltpk5p/7TryPXNHeutQljWElqCq3xRFBRPumdh7PeCSm3E1+eA2cq bzNorxkfkXM="; // Key ID= 18043, ZSK of DNNSEC.IR};
IRNIC Contact Information
Email Address: info@nic.ir
Phone : (+98 21) 2358 7000
Only available on working days from Saturday - Wednesday , between 8:00 - 15:45 (Tehran time)
Fax : (+98 21) 2229 5700