Internet Performance Delivered right to your inbox

Dyn Inc. Leads the Charge for Testing DNSSEC with .org

After the Public Internet Registry (PIR) began signing .org with DNSSEC in June 2009, news of the root signing becoming a reality wasn’t far behind. Add this to all the ccTLDs already signing zones and the flood gates were opened. And Dyn Inc. is there riding the wave to a more secure DNS.

Dyn Inc. introduced a DNSSEC testbed months before for those early adopters interested in experimenting. And we’re still leading the charge to bring an end-to-end secure DNS transactions to our customers. When the root is signed, we’ll be ready. We’ve published our DNSSEC Implementation Plan for all to see. And we continue to progress through our objectives.

Within our internal test bed we are signing zones in the .org TLD, and providing those DS Keys to the .org registry. Resolvers who have validated and installed the trust anchors for .org will return Authenticated Data. This is significant progress on our objective for expanding our domain name registration systems to upload DS records to parent domain name registries.

When PIR opens this up to the public in mid-2010, .org domains registered with Dyn Inc. will be ready to roll with DNSSEC validated domains.

Our two services, DynDNS.com and the Dynect Platform work together to make this possible.

A .org zone registered with Dyn Inc. with Managed DNS on the Dynect Platform can be signed and have its Authoritative Data (flag ‘aa’) returned with the appropriate key records.

Using the DynDNS.com Domain Registration interface, the DS Keys needed by the parent zone can easily be sent to the .org registry, PIR.

Once these steps have been completed, a couple of quick queries shows that the registry is sharing the DS keys, and an authenticated data set is being returned from the authorized DNS provider.

Observe the following (truncated) trace of a query for a signed zone dynlabs-dnssec.org:

$ dig dynlabs-dnssec.org +dnssec +trace

; <<>> DiG 9.6.0-APPLE-P2 <<>> dynlabs-dnssec.org +dnssec +trace
org. 172800 IN NS d0.org.afilias-nst.org.
;; Received 452 bytes from 128.63.2.53#53(H.ROOT-SERVERS.NET) in 22 ms

dynlabs-dnssec.org. 86400 IN NS ns3.p24.dynect.net.
dynlabs-dnssec.org. 86400 IN NS ns1.p24.dynect.net.
dynlabs-dnssec.org. 86400 IN NS ns2.p24.dynect.net.
dynlabs-dnssec.org. 86400 IN NS ns4.p24.dynect.net.
dynlabs-dnssec.org. 86400 IN DS 14563 5 1 525C4E838FDE51D95E002C380090FA7E01FECB94
dynlabs-dnssec.org. 86400 IN RRSIG DS 7 2 86400 20091105205421 20091022195421 3380 org. JVQ5BY6hTM...
;; Received 332 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 86 ms

dynlabs-dnssec.org. 60 IN SOA ns1.p24.dynect.net. webhost.dynlabs-dnssec.org. 2 3600 600 604800 60
dynlabs-dnssec.org. 60 IN RRSIG SOA 5 2 3600 20091121195134 20091022195134 54750 dynlabs-dnssec.org. ZuXtV5rL...
dynlabs-dnssec.org. 60 IN NSEC dynlabs-dnssec.org. NS SOA RRSIG NSEC DNSKEY
dynlabs-dnssec.org. 60 IN RRSIG NSEC 5 2 60 20091121195133 20091022195133 54750 dynlabs-dnssec.org. q6F1ld49...
;; Received 506 bytes from 208.78.71.24#53(ns3.p24.dynect.net) in 17 ms

Note the DS key returned by a2.org.afilias-nst.info. This shows that the parent zone (.org in this case) has the proper zone signing key to authenticate the data for its sub-domain.

Then we query a resolver that has the trust anchor for .org installed:

$ dig @149.20.64.20 dynlabs-dnssec.org +dnssec

; <<>> DiG 9.6.0-APPLE-P2 <<>> @149.20.64.20 dynlabs-dnssec.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59530
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dynlabs-dnssec.org.  IN A

;; AUTHORITY SECTION:
dynlabs-dnssec.org. 60 IN SOA ns1.p24.dynect.net. webhost.dynlabs-dnssec.org. 2 3600 600 604800 60
dynlabs-dnssec.org. 60 IN RRSIG SOA 5 2 3600 20091121195134 20091022195134 54750 dynlabs-dnssec.org. ZuXtV5rL...
dynlabs-dnssec.org. 60 IN RRSIG NSEC 5 2 60 20091121195133 20091022195133 54750 dynlabs-dnssec.org. q6F1ld49q...
dynlabs-dnssec.org. 60 IN NSEC dynlabs-dnssec.org. NS SOA RRSIG NSEC DNSKEY

;; Query time: 777 msec
;; SERVER: 149.20.64.20#53(149.20.64.20)
;; WHEN: Fri Oct 23 13:17:14 2009
;; MSG SIZE  rcvd: 506

Note the ad flag in the response header, which indicates the response has been validated.

The DNSSEC chain of trust is far from complete. Until the root is signed, this transaction chain is still compromised. But, when that happens, and it will, Dyn Inc. is well ahead of the curve.

DNSSEC Implementation Preview

So far, we’ve implemented one half of the DNSSEC puzzle on each of our platforms; the Dynect Platform has the ability to sign your zone and manage your keys, while DynDNS.com has the ability to push DS records up to the registry for .org as part of the test phase of DNSSEC deployment for .org.

If you’re a Dynect Platform customer, you can get access to the DNSSEC functionality by getting in touch with your sales representative; for DynDNS.com, you will need to wait until the official launch date for DNSSEC support in .org in order to access these features.

Here, we’ll preview the process for you with the domain dynlabs-dnssec.org:

Sign your zone in the Dynect Platform

Dynect DNSSEC

Retrieve your DS record from the Dynect Platform

Dynect DNSSEC

Use DynDNS.com to publish your DS record to .org

DynDNS DNSSEC

DynDNS DNSSEC

DynDNS DNSSEC


Share Now

Whois: Dyn Blog

Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.