Tag Archives: Germany

Yes to Secure Internet! – DNSSEC Is Coming for .de

DENIC logoDNSSEC Testbed Concluded Successfully – Launch of Extended DNS Protocol Scheduled for 31 May 2011

[news release] DNSSEC (Domain Name Security Extensions) shall improve security for .de domains too in the future. This is the result of the broad-based test phase that ended with today’s concluding meeting.

“DNSSEC has successfully passed the operative phase in the testbed,” says DENIC’s CEO, Sabine Dolderer. Thus DENIC will launch DNSSEC on 31 May 2011. “I am confident that this is another important step towards security on the Internet,” so Sabine Dolderer in the DENIC head office in Frankfurt. What precisely shall be avoided by DNSSEC? The redirection of users to websites they did not intend to visit, the reading of data by unauthorized third parties, and the manipulation of contents. The testbed was launched jointly by DENIC, the Association of the German Internet Economy eco e.V. and the Federal Agency for Security in Information Technology (BSI) and ran from July 2009 to December 2010.

Close Cooperation

Apart from verifying technical feasibility, the testbed addressed a large variety of issues all around DNSSEC. To make such a broad approach possible particular attention was paid to designing the testbed appropriately for all stakeholders, from Internet service providers (ISP) to end product vendors, being involved. It was just this cooperative approach which proved a success factor. In close cooperation, the testbed participants quickly identified problems, worked out solutions and developed new processes. To give just one example, the DENIC registry interface was extended so that real-time registration of key material became possible. The results of the DNSSEC testbed, like the extension of the NAme Server Testers (NAST), have already been incorporated in everyday working practice. You will find further information about the extension of the NAme Server Testers (NAST) and the DNSSEC testbed in general on the DENIC website at www.denic.de/en/domains/dnssec.html. DENIC is planning to launch DNSSEC on 31 May  2011. This will give registrars, ISPs and users sufficient lead time to prepare the launch and thus to ensure reliable application of the extended DNS protocol.

Background information:


The Domain Name System (DNS) converts the domain entered by the user into an IP address that can be processed by the computer. So the DNS can be called the telephone directory of the Internet. At present, the transfer of the DNS information – i.e. the resolution of the domain into the corresponding IP address – is not encrypted. This situation provides possibilities for altering the resolving name servers en route or by cache poisoning and to redirecting the user to manipulated sites. DNSSEC applies a digital signature to the name server records and thus ensures that the information will reach the user without any alterations. In addition to that, the sender of the information can be reliably authenticated. The procedure cannot prevent, however, that false information is signed or that the user is misled on a higher level.
In July 2008, the Kaminsky Report (www.doxpara.com/DMK_BO2K8.ppt) reported about vulnerable aspects of the Domain Name System (DNS), which enable forging the records stored in the cache of a DNS server. In doing so, the attacker can gain control over the name resolution of specific hosts or domains and can use this as a basis for further attacks.

About DENIC eG

As the central registry, DENIC administers the now more than 14 million domains under the Top Level Domain .de and thus provides a crucial resource for users of the Internet. It sees its role as that of a competent, impartial provider of services for all domain holders and Internet users. With more than 120 employees, DENIC creates the foundation through its work for German Internet pages and e-mail ad-dresses to be accessible throughout the world. The about 270 members of the Cooperative are IT or telecommunications businesses based in Germany and elsewhere. Working in cooperation with them and other partners, DENIC is committed to guarantee the secure operation of the Internet and its further worldwide development as a not-for-profit organization.

It operates the automatic electronic registration system for its members, runs the domain database for the Top Level Domain .de and the German ENUM domain (.9.4.e164.arpa), manages the name server services for the .de zone at currently 15 locations distributed throughout the world, and renders a con-siderable contribution to the further organizational and technical development of the Internet in coopera-tion with international bodies (e.g. ICANN, CENTR, IETF).

This DENIC news release was sourced from:

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

DENIC To Release Nine Remaining Short Domains in January

DENIC logoOn 12 January 2011, 10:00 CET, the registry for .DE domain names, DENIC is going to make available nine short domains for registration which were previously blocked due to temporary injunctions: dw.de, e.de, f.de, g.de, hr.de, sr.de, x.de, y.de and z.de.

The information below was provided by DENIC:

Registration will be made applying DENIC’s standard “first come, first served” principle. Since the number of available domains is extremely limited, DENIC will use a special procedure: Applicants will have to submit requests by fax to fax numbers established for this particular purpose. This will be the only permitted submission channel. There will be a separate fax number for each domain, which will be active for a period of 30 minutes. The first period will start on 12 January 2011 at 10:00 CET.

Time (CET) Domain Fax Number
10:00 – 10:30 dw.de +49 69 24248559
10:30 – 11:00 e.de +49 69 24248603
11:00 – 11:30 f.de +49 69 24248736
11:30 – 12:00 g.de +49 69 24005984
12:00 – 12:30 hr.de +49 69 24005985
12:30 – 13:00 sr.de +49 69 24005986
13:00 – 13:30 x.de +49 69 24005988
13:30 – 14:00 y.de +49 69 24005989
14:00 – 14:30 z.de +49 69 24005990

DENIC will accept only registration requests which are submitted on a specific request form designed for this purpose. Interested parties can download this form from the DENIC website: There is a separate form for each domain.

The fax server is configured to receive no more than one page per fax transmission and will automatically terminate the connection after one page. Thus, interested parties must ensure that their fax machine will not include a cover sheet for the transmission or spread the text over two pages. The above mentioned fax number will be connected 24 hours before the official launch of the registration period, so that own fax configurations can be tested.

The application form must be completed accurately, fully and legibly, and be signed before it is sent to DENIC. The domain will be assigned to the applicant whose complete, correctly filled in and signed fax application is received first by DENIC after opening of the registration period of the respective domain – synchronized with the time server of DENIC (ntp1.denic.de). Factual registration will be effected immediately afterwards, the domain simultaneously being recorded in the DENIC database. After that, it can ad hoc be queried via the DENIC information services (whois etc.).

In general, interested parties have to ensure that the registration and intended use of the domain does not infringe anybody else’s rights nor break any general law.

The holders of the successfully registered domains will be informed by DENIC in writing and must communicate by 26 January 2011 (date of receipt of letter or fax by DENIC) the member of the DENIC Cooperative who is going to administer the domain in the future. Otherwise, the domain will be administered by DENICdirect.

The aforementioned domains were excluded from registration when DENIC launched one- and two-character domains in October 2009 because temporary injunctions had been imposed on DENIC which prohibited registration of said domains for the time being. These temporary injunctions are no longer effective. As regards the dw.de domain, the applicant withdrew her motion for a temporary injunction. The applicant of the domains e.de, f.de, g.de, x.de, y.de and z.de waived his rights resulting from the temporary injunction after the Frankfurt Court of Appeals had ruled in favour of DENIC in the main proceedings of the x.de domain. The temporary injunctions relating to the hr.de and the sr.de domains were just lifted by the Frankfurt Court of Appeals. In its ruling, the Frankfurt Court of Appeals confirms permissibility of the registration standard of DENIC, which provides for the option to carry out registrations, including first registrations of domains at a specific point in time set by DENIC, applying the “first come, first served” principle. Similar reasons had been given by the Court of Appeals when it confirmed the ruling issued by the Regional Court of Frankfurt am Main in October 2009, which rejected to issue a temporary injunction that would have compelled DENIC to also block registration of the tv.de domain at that time. Thus, all attempts of individual applicants to evade the “first come, first served” principle with regard to the release of short domains or to be granted privileges have failed. To view all decisions go to our website.

This DENIC news release was sourced from:

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

.DE Passes 14 Million Registrations

DENIC logoThe German country code Top Level Domain passed the 14 million registrations mark Monday cementing its position as the world’s largest.

According to the most recent figures on the DENIC website there are 14,008,167 registered domain names with the registry cementing its position as the number one registry following the dramatic decline in .CN (China) registrations.

Registrations for .CN peaked at 14,082,553 in February 2009 according to their end-of-month figures and total 6,047,926 as of the most recent figures made available by the registry CNNIC.

The rapid decline is believed to have occurred due to changes in registration policies requiring more onerous identity requirements and the ending of heavily discounted domain names where domain names were sold for a few cents.

According to the most recent figures, the world’s largest ccTLDs, with current registrations unless stated, are:

  • .DE (Germany) – 14,008,167
  • .UK (United Kingdom) – 8,879,192
  • .CN (China) – 6,047,926 (as of 30/9/10)
  • .NL (Netherlands) – 4,167,098
  • .EU (European Union) – 3,329,471
  • .RU (Russia) – 3,093,737.

Europe Registry logoTo register your .DE, or any other, domain name, check out Europe Registry here.

German Registry To Introduce "ß" Domain Names

DENIC logoRegistrants will be able to register .DE domain names that include the “ß” character, DENIC have announced.
A sunrise period will commence on 26 October 2010 at 15:00 CEST that will allow holders of domains containing the character set “ss” will be granted special registration rights that expire on 16 November 2010, 10:00 CET. Continue reading German Registry To Introduce "ß" Domain Names

German Registry To Introduce “ß” Domain Names

DENIC logoRegistrants will be able to register .DE domain names that include the “ß” character, DENIC have announced.

A sunrise period will commence on 26 October 2010 at 15:00 CEST that will allow holders of domains containing the character set “ss” will be granted special registration rights that expire on 16 November 2010, 10:00 CET.

The change comes about as a result of DENIC abolishing the rule that forbids the Latin small letter sharp “s” to be used as an independent character in .DE domain names as of 16 November. The change sees DENIC following the revised standard for Internationalised Domain Names in Applications (IDNAbis). Since 4 August 2010, the IDNAbis standard allows the Latin small letter sharp “S” – also known as “Eszett” or “sharp s” (“ß”) – to be used as part of a domain name. Thus, domains such as “straße.de” (German for “street”) can now be registered.

DENIC advises that there may be unexpected results for internet users who use older web browsers and email clients. The unexpected results during the transition period comes about because most web browsers and email clients are still based on the old IDN standard. Thus, it depends on the software that is used, to which websites a user will be directed when entering a domain name that includes an “ß”.

While browser versions that are based on the new standard will display exactly the page the user has entered, older browser versions will always direct the user to the domain with “ss”. However, this domain may not necessarily be identical with the queried “ß”-domain, regardless whether both domains are registered by one and the same holder or not. DENIC has no means to influence vendors of such browsers as to when they will update their applications to make them compatible with the amendments of the IDN protocol. Thus, DENIC recommends parties interested in ß-domains to take this technical uncertainty into consideration with regards to the use of the domain.

For more information, see the DENIC announcement at:

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

DENIC Name Server Checks Now Featuring DNSSEC Functions

DENIC logo[news release] On its website, a specific interface exists which provides any user access to a tool for independently checking domain delegations in the way they are automatically verified by default by the DENIC registration system. This tool facilitates the delegation of second level domains under the German TLD .de. Moreover, it helps to avoid errors during the initial setup which may result in failures in case of domain deletions or even disturbances of entire network sections. The so-called Nameserver Predelegation Check is freely accessible to the public at www.denic.de/en/background/nast.html.

At the end of August, DENIC’s web surface for name server checks was extended by DNSSEC-specific checks. Users can deliberately activate this additional tool to test the technical parameters of DNSKEY records and to verify if the related signatures can be applied for validation. The checks have been active in the production environment for quite some time already. They are described in detail in the documentation DENIC-23, which also lists the system requirements. You will find the documentation under the aforementioned URL.

DNSSEC-specific tests can be executed with both domains already participating in the running testbed for .de and domains waiting to be registered in the testbed.

To enable users to carry out the relevant checks in their local systems, DENIC also provides an open source version of the related Name Server Test software (NAST) for download at the same URL. The software supplies detailed debugging information for individual search runs, if required.

This DENIC news release was sourced from:

Europe Registry logoTo register your .DE domain name in full, check out Europe Registry here.

CN Domain Registrations Slip Even Further

CNNIC logoThe number of .CN domain name registrations have slipped by over one million in the two months to 30 June according to statistics published on the China Internet Network Information Center’s (CNNIC) website this week.

The latest figure is 7,246,686 compared to 8,254,681 at the end of April. CNNIC, unlike many registries, often posts registration figures several months late. Others such as DENIC (.DE) and Nominet (.UK) have real time statistics.

The dramatic reductions are the result of the end of promotions that lasted for much of 2008 and 2009 where domain names could be registered for a few cents and the introduction of restrictions on registrants.

The latest figures mean .CN is still is the third highest ranked ccTLD behind .DE with 13,765,490 registrations as of 7 August and 8,654,260 for .UK (United Kingdom). .NL (Netherlands) is fourth with 3,981,555 registrations while .EU (European Union) is fifth with 3,227,644 registrations.

Europe Registry logoTo register your domain name for any of the above ccTLDs, or any other, check out Europe Registry here.

Third DENIC DNSSEC Testbed Meeting Another Great Success

DENIC logo[news release] A whole kaleidoscope of hot topics and questions all around the protocol extension DNSSEC and the persistent great interest of the Internet community made the third .de DNSSEC testbed meeting at the premises of DENIC another success.

With roughly 60 attendants from the Internet industry and Internet associations a diversified forum of users and providers of services and hard- and software tools supporting DNSSEC met in the offices of DENIC to be informed about the latest developments for combating DNS spoofing, cache poisoning and zone walking and to use the opportunity for networking.

By now, the test infrastructure set up by DENIC has achieved most of the milestones of its roadmap: Already at the beginning of March, the critical phase was entered with the initial publication of DS-Key records in the signed test version of the .de zone. Logically, also the focus of the accompanying four-meeting series is shifting more and more to practical aspects. Besides information about the current status of the testbed provided by the persons responsible for the project at DENIC, the central issues of the technical presentations of yesterday’s second-to-last DNSSEC meeting thus were the experience made and progress achieved by the DNSSEC users of the most different fields of the IT environment.

Elementary aspects and administrative processes still posing big questions for numerous TLDs also were central topics of vivid discussions: the security of NSEC3 resource records, the handling of domains that cannot be validated in error-prone zones, and, last but not least, the requirements to be defined for an appropriate policy for provider and/or DNS-operator changes under DNSSEC – all of them factors which are highly relevant to the praxis with regard to the global launch of the cryptographic protocol extension.

For reasons such as those mentioned above DENIC deliberately calculated the testbed for the generous period of 18 months from the very beginning. The declared aim of the project is to thoroughly analyze any potential operative and administrative risk and to develop substantial procedures on this basis which can be used as best practices within the scope of DNSSEC. Only long-term experience – so the credo – will provide valid results of secured practical suitability prior to launching the protocol extension in the productive environment at the start of 2011.

On 24 November 2010, the fourth and last DNSSEC testbed meeting will take place to report about the additional experience made and progress achieved with the .de zone by then. DENIC would be happy to welcome a large number of new interested parties who actively participate by operating their own domain(s) in the provided testbed, in order to have as broad as possible a basis for the final assessment of the testbed under cost-benefit aspects. By integrating the testbed in the production environment DENIC deliberately created very user-friendly conditions that make it easy to decide in favour of active participation.

Detailed information about DENIC’s latest DNSSEC testbed meeting and for all original papers, speaker profiles and live recordings of the presentations and discussions, are availlable online on the DENIC website.

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

DENIC Upgrades .DE Public-Whois in Test Environment

DENIC logoAfter a comprehensive revision, DENIC have unveiled a new version of their public-whois information query service. The new version has been available for public testing in the test environment since 2 June 2010 and is available at whois.test.denic.de. According to current planning, the new whois is scheduled to replace the current whois server on 29 June 2010.

The new version not only includes a revision of the whois architecture but also an optimisation of its functions such as a systematic elimination of inconsistencies and simultaneous standardisation of the parameter and output syntax. The aim is to make the new whois much more user-friendly.

An initial impression of the amendments and innovations is available from a special information page at www.denic.de/en/background/whois-service/changes-within-public-whois.html. Also accessible via this page is the new public-whois documentation with detailed explanations of all important information.

For testing purposes, a series of test domains is available that mirror all the potential domain statuses.

The test whois server can be accessed via whois.test.denic.de.

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

German Internet Temporarily Down Last Week

Many internet users could have found German (.DE) websites and email addresses inaccessible for a short period last week following problems with faulty servers.On Wednesday (May 12) from around 13:30 to 15:45 servers went down causing the problems meaning some domains were inaccessible with website error messages being given saying the “domain does not exist”.According to DENIC, “the reason why this situation occurred was an incomplete copying process during the regular name service data update, which is performed at 2-hour intervals. Due to this, an incomplete update of the name service data (a so-called zone file) was triggered at 12 of the 16 service locations.”The problem would not have been noticed by many internet users around the world as not all servers were affected. And the problems might have persisted for up to two hours longer than the official down time due to caching of servers’ data.This article was originally written for eBrand Services.