Domain Name System Security Extensions (DNSSEC) is a security extension that facilitates the digital signing of Internet communications, helping to ensure the integrity and authenticity of transmitted data.
When deploying DNSSEC, a domain name registry introduces a layer of security that can be built upon. This layer of security is part of the chain of trust in the DNS. There can be multiple layers between the user and a server, and in the .au domain space auDA is taking a step towards securing the layer between the .au zone and the root (“.”) zone.
DNSSEC is a major change in the DNS protocol and whilst it offers a level of trust for Internet users, where responses can be authenticated and queries verified, it also introduces a new level of risk for registry operators. DNSSEC requires the inclusion of cryptographic keys in the DNS and at times frequent editing of a zone file. This level of interaction and the complexity of cryptographic keys increase the risk of error during a zone change or update. An error made to a signed zone can cause a zone to appear offline or bogus to validating resolvers
In consultation with the auDA DNSSEC Working Group and the auDA Security Stability and Advisory Committee (auDA SSAC), auDA completed an DNSSEC Policy & Practice Statement (DPS). This document provides organisations with information on auDA’s deployment of DNSSEC in the .au zone, including policy and controls around the creation, management and protection of the cryptographic keys used to sign the .au zone. Organisations may use this document to determine the level of security they wish to implement when deploying DNSSEC on their own zones. It also provides guidance on the level of confidence that organisations can place in the chain of trust.
auDA DNSSEC signed the .au zone on 20 November 2014. The .au Delegation Signer (DS) records were also submitted to IANA on 20 November 2014 and were published in the root zone file on 26 November 2014. In December 2014 DS records for the following Second Level Domains (2LDs)
The following 2LDs have had their Delegation Signer (DS) records added to the .au zone:
The following closed zones are not currently signed:
auDA will make all announcements about key rollover periods, outages and any other relevant DNSSEC information via the .AU DNSSEC Announcements mailing list. Click here to subscribe to the .AU DNSSEC Announcements mailing list.