Internet Performance Delivered right to your inbox

Dyn Inc. Leads the Charge for Testing DNSSEC with .org

After the Public Internet Registry (PIR) began signing .org with DNSSEC in June 2009, news of the root signing becoming a reality wasn’t far behind. Add this to all the ccTLDs already signing zones and the flood gates were opened. And Dyn Inc. is there riding the wave to a more secure DNS.

Dyn Inc. introduced a DNSSEC testbed months before for those early adopters interested in experimenting. And we’re still leading the charge to bring an end-to-end secure DNS transactions to our customers. When the root is signed, we’ll be ready. We’ve published our DNSSEC Implementation Plan for all to see. And we continue to progress through our objectives.

Within our internal test bed we are signing zones in the .org TLD, and providing those DS Keys to the .org registry. Resolvers who have validated and installed the trust anchors for .org will return Authenticated Data. This is significant progress on our objective for expanding our domain name registration systems to upload DS records to parent domain name registries.

When PIR opens this up to the public in mid-2010, .org domains registered with Dyn Inc. will be ready to roll with DNSSEC validated domains.

Our two services, and the Dynect Platform work together to make this possible.

A .org zone registered with Dyn Inc. with Managed DNS on the Dynect Platform can be signed and have its Authoritative Data (flag ‘aa’) returned with the appropriate key records.

Using the Domain Registration interface, the DS Keys needed by the parent zone can easily be sent to the .org registry, PIR.

Once these steps have been completed, a couple of quick queries shows that the registry is sharing the DS keys, and an authenticated data set is being returned from the authorized DNS provider.

Observe the following (truncated) trace of a query for a signed zone

$ dig +dnssec +trace

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec +trace
org. 172800 IN NS
;; Received 452 bytes from in 22 ms 86400 IN NS 86400 IN NS 86400 IN NS 86400 IN NS 86400 IN DS 14563 5 1 525C4E838FDE51D95E002C380090FA7E01FECB94 86400 IN RRSIG DS 7 2 86400 20091105205421 20091022195421 3380 org. JVQ5BY6hTM...
;; Received 332 bytes from in 86 ms 60 IN SOA 2 3600 600 604800 60 60 IN RRSIG SOA 5 2 3600 20091121195134 20091022195134 54750 ZuXtV5rL... 60 IN NSEC NS SOA RRSIG NSEC DNSKEY 60 IN RRSIG NSEC 5 2 60 20091121195133 20091022195133 54750 q6F1ld49...
;; Received 506 bytes from in 17 ms

Note the DS key returned by This shows that the parent zone (.org in this case) has the proper zone signing key to authenticate the data for its sub-domain.

Then we query a resolver that has the trust anchor for .org installed:

$ dig @ +dnssec

; <<>> DiG 9.6.0-APPLE-P2 <<>> @ +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59530
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;  IN A

;; AUTHORITY SECTION: 60 IN SOA 2 3600 600 604800 60 60 IN RRSIG SOA 5 2 3600 20091121195134 20091022195134 54750 ZuXtV5rL... 60 IN RRSIG NSEC 5 2 60 20091121195133 20091022195133 54750 q6F1ld49q... 60 IN NSEC NS SOA RRSIG NSEC DNSKEY

;; Query time: 777 msec
;; WHEN: Fri Oct 23 13:17:14 2009
;; MSG SIZE  rcvd: 506

Note the ad flag in the response header, which indicates the response has been validated.

The DNSSEC chain of trust is far from complete. Until the root is signed, this transaction chain is still compromised. But, when that happens, and it will, Dyn Inc. is well ahead of the curve.

DNSSEC Implementation Preview

So far, we’ve implemented one half of the DNSSEC puzzle on each of our platforms; the Dynect Platform has the ability to sign your zone and manage your keys, while has the ability to push DS records up to the registry for .org as part of the test phase of DNSSEC deployment for .org.

If you’re a Dynect Platform customer, you can get access to the DNSSEC functionality by getting in touch with your sales representative; for, you will need to wait until the official launch date for DNSSEC support in .org in order to access these features.

Here, we’ll preview the process for you with the domain

Sign your zone in the Dynect Platform


Retrieve your DS record from the Dynect Platform


Use to publish your DS record to .org




Share Now

Whois: Dyn Blog

Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.