DNSSEC

Domain Name System Security Extensions (DNSSEC) is a security extension that facilitates the digital signing of Internet communications, helping to ensure the integrity and authenticity of transmitted data. 

When deploying DNSSEC, a domain name registry introduces a layer of security that can be built upon.  This layer of security is part of the chain of trust in the DNS.  There can be multiple layers between the user and a server, and in the .au domain space auDA is taking a step towards securing the layer between the .au zone and the root (“.”) zone.  

DNSSEC is a major change in the DNS protocol and whilst it offers a level of trust for Internet users, where responses can be authenticated and queries verified, it also introduces a new level of risk for registry operators. DNSSEC requires the inclusion of cryptographic keys in the DNS and at times frequent editing of a zone file.  This level of interaction and the complexity of cryptographic keys increase the risk of error during a zone change or update.  An error made to a signed zone can cause a zone to appear offline or bogus to validating resolvers

auDA has taken a cautious approach to introducing DNSSEC into the .au space.  This approach has allowed auDA to wait for equipment, services and processes to mature and ultimately reduce the risk to the .au domain space. Over the past 18 months auDA has conducted and completed substantial testing on multiple systems, utilising various hardware and software, in preparation for signing the .au zone.  This is the first step in creating a chain of trust from the root zone through to domains at the second and third level in the .au domain space.  Through this testing auDA has developed processes and practices that aim to maintain a high level of stability and allow for improved security.

In consultation with the auDA DNSSEC Working Group and the auDA Security Stability and Advisory Committee (auDA SSAC), we have completed an Interim DNSSEC Policy & Practice Statement (DPS).  This document provides organisations with information on auDA’s deployment of DNSSEC in the .au zone, including policy and controls around the creation, management and protection of the cryptographic keys used to sign the .au zone.  Organisations may use this document to determine the level of security they wish to implement when deploying DNSSEC on their own zones.  It also provides guidance on the level of confidence that organisations can place in the chain of trust.

Signed .au zone – experimental phase

On 24th April 2014 auDA signed the .au zone in the production environment as a next step to the continued testing of DNSSEC. 

Please Note:  The .au zone Delegation Signer (DS) Records will not be added to the root and the signed .au zone will be considered “experimental” at this time.  Whilst the .au key information will be available and viewable by the public, it is not suitable for entities to generate and use a  .au trust anchor in a production environment. 

During this experimental phase, auDA cannot and will not guarantee continued service or stability of the signed .au zone.  auDA accepts no responsibility for those who may experience outages caused by enabling DNSSEC validation against the .au zone in a production environment.

The experimental phase will last for a period of approximately six months.  During this period auDA will:

  • test and monitor production load on the .au servers
  • perform four zone signing key rollover events
  • perform one key signing key rollover
  • liaise with the Second Level Domain (2LD) operators and facilitate the addition of their DS records into the .au zone
  • finalise the DPS.

auDA will make all announcements about key rollover periods, outages and any other relevant DNSSEC information via the [email protected] mailing list.  This list is open to the public and may be used by members to post information about faults or difficulties they may experience.

As noted above, the signed .au zone is to be considered experimental only at this stage but auDA encourages other entities, especially resolver operators, to conduct their own testing against the .au zone using their development/staging environments.  This will require a trust anchor to be placed on the testing name server. The generation, format and location of trust anchors is outside the scope of this announcement. For more information please contact auDA’s Chief Technology Officer Adam King.

Below is auDA’s indicative timeline for the introduction of DNSSEC in the .au domain space.  This timeline will be updated when dates for the inclusion of the 2LD DS records have been determined.

 

Date*

Event

Zone File

Description

26/03/14

Publish timings and information

.au

Publish on the auDA website and send out notifications to mailing lists about auDA’s intention to sign the .au zone in production environment   noting it is considered experimental.

23/04/14

Notification of signing

.au

Announcement of the inclusion of the KSK and ZSK in the .au zone will be sent to the the [email protected] mailing list.

24/04/14

Add KSK and ZSK

.au

The initial KSK and ZSK keys will be introduced to the .au zone. 

24/05/14

Add second ZSK

.au

Introduce second ZSK to the .au zone.

31/05/14

Remove first ZSK

.au

Removal of first ZSK from the .au zone.

24/06/14

Add third ZSK

.au

Introduce the third ZSK to the .au zone.

30/06/14

Remove second ZSK

.au

Removal of the second ZSK from the .au zone.

23/08/14

Add fourth ZSK (Pre-publish)

.au

Fourth ZSK will be introduced but not used to sign the zone contents.

25/08/14

Fourth ZSK used to sign the Zone.

.au

The .au zone will be signed with the fourth ZSK. The signatures generated with the third ZSK will be removed.  The DNSKEY for the third ZSK will remain in the zone to allow for caching.

27/08/14

Remove third ZSK 

.au

Third ZSK DNSKEY is removed from the zone.

25/09/14

Add fifth ZSK (Pre-publish)

.au

Fifth ZSK will be introduced but not used to sign the zone contents.

27/09/14

Fifth ZSK used to sign the Zone.

.au

The .au zone will be signed with the fifth ZSK. The signatures generated with the fourth ZSK will be removed.  The DNSKEY for the fourth ZSK will remain in the zone to allow for caching.

30/09/14

Remove fourth ZSK 

.au

Fourth ZSK DNSKEY is removed from the zone.

TBA (Oct)

Add 2LD DS records

2LD Zones

The first of the 2LD zone DS records will be added to the .au zone and signed.

TBA (Oct)

Add second KSK

.au

Add second KSK to the .au in preparation for submitting the DS to root zone

TBA (Oct)

Remove first KSK

.au

Removal of the KSK used during “experimental” phase

TBA (Oct)

Add .au DS to Root zone file

.au

Submit DS records to IANA for inclusion in the root zone.

 

*Please note that all dates are subject to change. auDA will update the timeline and send notification to the [email protected] mailing list as required.