DNSSEC – The path to a secure domain

DNSSEC makes the internet more secure by complicating the manipulation of the information that passes through the domain name system, ensuring users that they truly are visiting e.g. their internet bank and not a facsimile that was set up to steal passwords and account information.

Svensk version tillgänglig här.

Finding the right computer on the internet, for instance when you are surfing or sending e-mail to a certain web address, is done with the aid of queries in the domain name system (DNS). DNS is a gigantic database that translates domain names to IP addresses, i.e. the unique number series that identify computers connected to the internet. You can compare it to how a telephone directory “translates” names to phone numbers.

Security lapses

When DNS was created in the 1980’s, the main thought behind it was minimising the need for central management of the network and making it easy to connect new computers to the internet. There was, however, not much emphasis on security. The lapses in this area have opened for various types of abuse and attacks where the answers to DNS queries are falsified. In this manner internet users can be misled, for example in the purpose of tricking them to provide sensitive information such as passwords and credit card numbers.

Extensions secure against attacks

Even though security holes in the software tools used for DNS queries are patched up as well as possible, the fundamental problem lies in the functioning of DNS. That is why security extensions to DNS have been developed. They have been named DNSSEC (short for DNS Security Extensions). With DNSSEC the domain name system is secured from abuse by cryptographically signing answers to DNS queries. This way it is possible to secure that the answers really come from the right source and have not been changed in transit.

IIS an early adopter

IIS signed its .se-zone with DNSSEC in September 2005, as the first TLD in the world. When IIS launched a complete DNSSEC service in February 2007 it was also a global first. Since then the snowball has started rolling and an increasing number of top-level domains are now implementing the technology. Since the summer of 2010, DNSSEC is also implemented in the internet’s so-called root zone, the most fundamental part of the domain name system. As more domains are secured, the internet as a whole is getting more secure and reliable. IIS continues to work for a general implementation of this technology, among other things by taking part in the development of OpenDNSSEC, a free tool for simple management of DNSSEC services.

DNSSEC for your domain

Today, IIS’s DNSSEC service is an addition offered by many registrars (i.e. resellers of domain names) for both .se and .nu. It is the only way to get a secure domain that cannot be subject to attacks where the answers to DNS queries are falsified. Are you interested in securing your own web and e-mail address, please turn to your registrar for more information. If you are unsure whether or not your domain is using DNSSEC, you can easily find out completely free of charge at http://www.kaminskybug.se/.

The service consists of IIS giving the customers’ the possibility to publish their DS record (a hash of the customer’s public DNSSEC keys) in the .se zone and .nu zone and that .

SE guarantees the accuracy of the keys within this zone in accordance to IIS’s DNSSEC Practice Statement for .se

SE guarantees the accuracy of the keys within this zone in accordance to IIS’s DNSSEC Practice Statement for .nu

Contacts for DNSSEC

If you have further questions regarding DNSSEC, please contact, IIS Registry, Phone: +46-8-452 35 80, e-mail: registry@iis.se