DNSSEC testbed now available to registrars

Brussels, 28 October 2009 – EURid is pleased to announce that all .eu accredited registrars now have access to a .eu DNSSEC testbed. Providing this access is the first step in .eu support for Domain Name System Security Extensions (DNSSEC), a protocol that is intended to make the domain name system more secure.

The testbed will help EURid understand the technical demands of running the NSEC3 version of DNSSEC in combination with dynamic updates.

It will also help the registry evaluate response times and measure the performance of zone file generation in the specific .eu environment.

Finally, it will help EURid learn more about certain administrative processes required by DNSSEC. That includes the recalculation of signatures during a process which is known as key roll over.

“We want to work closely with our registrars to find out the best way to launch DNSSEC together to benefit .eu users,” comments Marc Van Wesemael, EURid General Manager. “At this time, few top-level domain registries offer DNSSEC support. We encourage all in the community to help Internet users by embracing DNSSEC.”

Why it matters

The original domain name system was designed for scale, not security. Criminals have been able to exploit the domain name system in a variety of ways. EURid has already put safeguards in place to help prevent “man in the middle” attacks. DNSSEC will create an additional safeguard against such attacks by allowing certain types of data to be verified.

The DNS allows users to type a domain name (such as eurid.eu), into a web browser and arrive at the correct IP address (195.234.53.204) for that website. Normally users arrive exactly where they want to go. But sometimes a web browser is sent to the wrong website. Here is how it works, using a pretend example:

• You want to visit LuckyBaby.eu, so you type that address into your web browser.
• Your computer asks a nameserver for the IP address of LuckyBaby.eu.
• A third party notices the request and sends your computer an imposter IP address that appears to belong to LuckyBaby.eu.
• Your browser takes you to a site that looks like LuckyBaby.eu but is actually a fake site used to steal credit card and other information.

DNSSEC helps prevent this sort of attack by making it possible for computers to verify that the IP addresses they receive are correct and come from valid nameservers.

In order to be effective, DNSSEC must be implemented by all parties responsible for administering the different parts of the domain name system. EURid is proud to join the push for a more secure Internet.