Tag Archives: France

AFNIC invites network managers to prepare for the signing of the DNS root in May 2010

AFNIC logo[news release] From May 2010, all the root servers on which the working of the domain name system depends, will be giving DNS responses signed by using the DNSSEC protocol.

This evolution aims for increasing the confidence in DNS responses (by authenticating their origin); administrators of networks connected to Internet should be aware that this evolution could cause some service disruptions.

In fact, the changes in the root server configuration could lead to a DNS disconnection risk, and therefore disruption of Internet service in certain cases.

AFNIC’s advice

1. Check whether your network, as well as your DNS service, could be concerned by this potential dysfunction, on a machine where the dig software is set up:

dig +short rs.dns-oarc.net txt

2. Check that the response indicates more than 1500 bytes. For instance:

“203.0.113.1 DNS reply size limit is at least 4023 bytes”

3. Analyze the whole network and the intermediate equipments (firewalls), then make sure that everything has been properly configured, in case the tests indicate that the packets which are bigger than 1500 bytes can’t get through.

4. Another alternative, if you do not have a simple DNS client like dig:
<labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues>

This tool, developed by the RIPE-NCC, requires Java.

5. For end users (company, university or domestic ISP subscriber), please check with your ISP.

Technical background

The DNS root is signed with the DNSSEC technology. In 2010, the root servers will start giving signed responses. From next May , the 13 root DNS servers will send the DNSSEC information. This includes cryptographic signatures, whose size is about five to ten times the standard DNS responses size. These signatures will exceed the DNS 512 bytes previous limit, and sometimes, even the 1500 bytes of the Ethernet MTU (“Maximum Transmit Unit”), the most widely used on Internet.

In fact, RFC 2671, which extended the 512 bytes limit, was published in August 1999, and is more than ten years old. There are still some firewalls or other network equipments, which are badly designed or not properly configured, and will reject the DNS responses more than 512 bytes long.

Among the equipments which accept longer responses, some of them don’t correctly handle the IP packet fragmentation (For instance: because they may block all the ICMP packets) and therefore, they cannot receive DNS packets larger than the MTU (generally 1500 bytes).

Some of the networks which reject DNS packets larger than 512 bytes, or even the ones which only reject those longer than 1500 bytes, will no longer be able to “communicate” with the DNS root after May 2010 (Indeed, this means that they will no longer get any response); and therefore, they will practically be unable to access to Internet

Glossary:
DNS: en.wikipedia.org/wiki/Domain_Name_System
DNSSEC: en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
ICMP: en.wikipedia.org/wiki/Internet_Control_Message_Protocol
MTU: en.wikipedia.org/wiki/Maximum_Transmission_Unit

ROOT: the set of servers spread around the world, and upon which the domain names system relies. These servers have a key role in dispatching the requests to the right name servers of the relevant TLD (Top-Level Domain) such as .fr or.com.

Some useful links:

– The root signing plan announcement
<www.ripe.net/ripe/meetings/ripe59/presentations/uploads/presentations/Tuesday/Plenary%2014:00/Abley-DNSSEC_for_the_Root_Zone.mId7.pdf>
– The official website for the signing project
<www.root-dnssec.org/>, with the roll-out timetable
– Instructions for a root server
<labs.ripe.net/content/preparing-k-root-signed-root-zone>
– Can your DNS server accept any size packet (in French)?
<http://www.bortzmeyer.org/dns-size.html>
– A French language mailing list about the DNS, where you can
get support from peers
<https://listes.cru.fr/sympa/info/dns-fr>

-=-=-=-=-=-=-

About AFNIC

(Association Française pour le Nommage Internet en Coopération )

Non-profit organization, AFNIC is in charge of the administrative and technical management of the .fr (France) and .re (Reunion Island) Internet domain names.
AFNIC brings together public and private members: representatives from the French government, Internet users and Internet Service Providers (Registrars).

For further information, see www.afnic.fr/afnic/presentation

Europe Registry logoTo register your .FR domain name, check out Europe Registry here.

This AFNIC news release was sourced from:
www.afnic.fr/actu/nouvelles/240/afnic-invites-network-managers-to-prepare-for-the-signing-of-the-dns-root-in-may-2010

AFNIC Reports .FR Domains Grow 25% in 2009

AFNIC, the registry for .FR (France) and .RE (Reunion Island), have published the 2009 edition of the French Domain Name Industry Report. Highlights of the report are the 1.5 millionth .FR domain name was registered in September of this year and that despite the global financial crisis, registrations grew 25 per cent year-on-year.Other highlights were .FR domain names now account for one-third of all domain names registered in France, a figure that is growing rapidly following the liberalisation of policies in recent years and a doubling of registrations since 2006.The secondary market for .FR domains is also growing with the report showing a rise of 35 per cent in the total number of .FR domain name transactions year-on-year although the average price was still quite low – around €12 before VAT.The use of IPv6 addresses is also growing with around five per cent of .fr names support IPv6 for DNS servers and two per cent for the webservers, although the proportion for email servers is lower.To register your .FR domain name, check out Europe Registry here.

.FR Domains to be Available to French Living Abroad in 2010

AFNIC logo.FR domain names will be available to French expatriates living outside of France in the first quarter of 2010 among a number of changes as part of the AFNIC 2010 Action Plan.

It is intended the change will take place in March 2010, any French national whose normal place of residence is abroad will be able to register a .FR domain name.

AFNIC will be maintaining the present process for registration and verification of individuals:

  • there will be no new technical tests on entry of the data, in order to minimise the burden of checking domain name holders’ geographical location
  • AFNIC will check eligibility with the registrars managing the domain name:
  • the administrative contact person must have a presence on French territory
  • these eligibility checks will be triggered by complaints from outside, as well as in the course of random checking.

Also as part of the Action Plan, AFNIC is planning to In 2010, AFNIC is also planning to introduce the DNSSEC protocol for .FR. DNSSEC (Domain Name System Security Extensions) uses digital signatures to increase the security of data provided by the DNS.

Europe Registry logoTo register your .FR domain name, check out Europe Registry here.