DNSSEC Deployment at CentralNic
The Domain Name System Security Extensions (DNSSEC) add security to the Domain Name System (DNS). The original design of the DNS system offers no protection against a number of attacks, such as DNS cache poisoning. DNSSEC uses advanced cryptographic techniques to verify that data received from the Domain Name System has not been tampered with.
DNSSEC has been a long time in coming. Despite fundamental flaws in the DNS being know about as early as 1990, a number of technical and political obstacles have prevented large scale deployment, but in 2010 several milestones were achieved, most notably the signing of the DNS root zone. Following the signing of the root, CentralNic, having observed and participated in the DNSSEC deployment initiative for over 10 years, began the process of deploying DNSSEC technology in its registry system.
As a domain registry, CentralNic publishes the authoritative DNS zone data for the domain extensions that it operates. DNSSEC impacts this in several ways:
1. DNS zone data must be cryptographically signed
Rather than generate a signature for each DNS response, DNSSEC signs the entire DNS zone once, and then includes resource records containing the digital signatures in the zone data, which are returned as part of the normal response. For domain registries, which regularly update their zone data, this means that the signing process must be integrated into the zone update process.
2. Registrars must be able to submit DS records
Delegation Signer (DS) records contain the public key(s) of child zones and are placed in the parent zone alongside the NS records. Registrars need to be able to submit their registrant's DS records to the registry for inclusion into the zone. The Extensible Provisioning Protocol supports this via the secDNS extension.
In addition to these two requirements, we must also implement all of the other obligations placed upon DNSSEC operations:
- securing of key data, backup and disaster recovery mechanisms
- ZSK and KSK rollovers
- Publication of DS keys in parent zones (eg the root zone) and DLV (where applicable)
- ensuring that network and server equipment is capabale of handling enlarged DNS response packets and increased use of TCP
Like most other registry operators, our DNSSEC implementation is based on NSEC3 with opt-out:
- NSEC3 resolves the "zone enumeration" or "zone walking" problem caused by the original NSEC design. NSEC is used to provide "authenticated denial of existence", ie a ensuring that a non-existent domain name cannot be spoofed. However it also allows a third party to recover the entire DNS zone, which poses a number of security, legal and policy issues. NSEC3 resolves this problem.
- Opt-out means that only domain name delegations that have corresponding DS records are signed. These makes DNSSEC deployment more scalable by avoiding an immediate increase in zone and response packet size.
DNSSEC is an exceedingly complex technology, bridging two already complex specialisms (DNS and cryptography). Although CentralNic is comfortable in the former specialism, the latter is not one of our core competencies. As a result, we make use of a third-party DNSSEC solution that can be deployed without in-depth knowledge of cryptography.
CentralNic selected Xelerance Corporation and established a partnership to use their award-winning DNSSEC technology. CentralNic uses Xelerance DNSX appliances to sign zone data before it is published into the DNS infrastructure. The diagram below describes how these appliances are deployed.
We use a combination of DNS NOTIFY and incremental zone transfers (IXFR) at each stage of the zone distribution process, to accelerate the rate at which DNS updates are propagated onto our infrastructure.
Access to the DNSX signer is subject to strict security: login credentials for the management interface are only available to senior management, specifically the CEO, CTO and Operations Manager. Remote access is restricted to the Network Operations Centre in London.
Physical access is also highly restricted. The DNSX appliances are hosted in a secure data centre, subject to biometric access, 24x7 patrols, and CCTV monitoring. The cabinets that houses the appliances are locked and cannot be opened except by approved personnel.
The appliances themselves include a number of tamper-resistent technologies and a Hardware Security Module (HSM) protects the KSKs.
- Root DNSSEC
- DNSSEC Deployment Initiative
- Slides from DNSSEC: problems and solutions for ISPs, web hosts and registrars, given by CentralNic's CTO Gavin Brown at UKNOF 15.