Main page

DNSSEC activated for .is

The Domain Name System (DNS) ensures that everyone can find resources on the internet in a simple way, by using domains and hostnames. Without DNS we would have to use the IP addresses of the resources we were looking for (web site, mail server etc.), but they are hard to remember and cumbersome to use.

From the beginning certain problems have been known with the way DNS is implemented (See RFC3833). These problems may allow attackers to disrupt the lookup process, either stopping people from accessing certain resources or directing users to different resources than they intended. Banks, insurance companies, commerce, government and other sites that handle important and critial data are popular targets for these kinds of attacks where the attackers look to seize personal information, login credentials and credit card information from unsuspecting users.

To fix these weaknesses, an extension of the DNS protocol, DNSSEC (DNS Security Extensions), was created. DNSSEC makes it possible for DNS servers to cryptographically sign their responses so that users are assured that the response they get originated from the correct DNS server.

ISNIC has now finished the first stage in implementing DNSSEC for the .is TLD, by signing the .is zone and having the corresponding DS records published in the root zone by IANA. Records in the is zone can now be authenticated by properly configured DNS resolvers that support DNSSEC.

The next step in the implementation is to allow domain holders to publish their DS records in the .is zone so their signed zone can be authenticated by the chain of trust to the root zone. Then domain holders can be assured that properly configured resolvers can and will authenticate responses from their domain servers and will disregard attempts from attackers to disrupt or poison the DNS system.

See RFC4033, RFC4034 and RFC4035 regarding the definitions of DNSSEC and RFC6781 regarding DNSSEC operational practices. ISNIC uses open source software, OpenDNSSEC to manage keys and signing of records in the is zone.

DNSSEC service will be included in the yearly fee for all domains.