What Was Involved In Making .AU More Secure With DNSSEC

The .au (Australian) ccTLD implemented DNNSEC at the end of 2014, joining the vast majority of TLDs, including all new gTLDs. Adam King, auDA‘s Chief Technology Officer, spoke at theAustralian Internet Governance Forum(auIGF) in Melbourne, Wednesday, which is organised by the .au policy and regulatory body. Adam was on a panel speaking about DNSSEC and online security in Australia. I spoke to Adam on the sidelines of the auIGF after his presentation on auDA’s experiences in implementing DNSSEC.DG: In December 2014 auDA implemented DNSSEC – What was the reason for introducing this new security?
AK: We needed to sign DNSSEC to enable .au to move forward and become a more secure namespace. So far all the ccTLDS of OECD member countries are signed with DNSSEC, so from both a security perspective and to remain competitive with other ccTLDs, it needed to happen. And of 1071 TLDs, 908 including all new gTLDs as mandated by ICANN, are currently signed.DG:How was the process?
AK: The technical side of signing wasn’t the difficult part. The difficult and time consuming part was developing the policies and processes for signing the zone and how auDA would manage the cryptographic keys. That’s because you’re now dealing with private key information and you’re using it to create a layer of trust, so this information must be kept secure.DG:What’s the difference for domain registrants?
AK: At the moment not too much because it’s not ubiquitous, but auDA needed to sign .au to create the opportunity for registrants to be able to sign their own domain names. But it’s a process with several steps.To make the service widely available, hosting companies need to start making DNSSEC signing services available to their customers. DNSSEC validation is on by default in all the current versions of name server software therefore any ISP (or business operating their own resolver) running the latest versions are performing validation – unless they are using a Windows resolver or have explicitly turned validation off. For hosting companies it is a little more involved, they need to replicate the processes auDA went through (generating key pairs, developing policy and signing procedures to protect their private keys) but obviously on a larger scale as they may have hundreds or thousands of zones to be signed. It’s certainly possible, Comcast in the USA were able to achieve this. Comcast provide validation for 17.8 million residential customers and have signed all 5,000 domain names under their management.DG:When all this is done, what will the benefits be to .au domain registrants and internet users?
AK: Once it’s enabled everywhere, as long as the ISPs or corporate resolver has DNSSEC validation enabled, it will perform all the validation checks to protect internet users from two of the main DNS attack vectors – cache poisoning and man-in-the-middle attacks. The checks occur without the end user doing anything. It all goes on behind the scenes and is so quick the user doesn’t even realise it’s happened. It guarantees that the answer to the question asked, that is the domain name requested, has not been modified or tampered in transit from the authoritative server to the ISP’s resolver.What it doesn’t do is that it doesn’t provide encryption, so what one looks up and visits is still visible in the DNS, and it doesn’t protect from viruses or DDOS attacks.So it’s not a silver bullet for protection online, but what it does protect against, it does so very well. And internet users are much safer as a result.auDA is the host of the auIGF each year and announcements on the 2016 security focused panels will be announced at the start of the year. You can register to hear more about how to get involved by emailing auigf@auda.org.au to be added to the mailing list.