Home / Blogs

The Mailbox That Saved DNSSEC

The Ulf Berkvist’s mailbox.A very long time ago, back in the ancient time of year 2006, the registry for .se domains, also called .SE (http://www.iis.se), opened up for signing .se zones with DNSSEC. In those days .SE did not have a registrar/registry model and my own company Interlan was then an agent for .SE.

One day I suddenly got a mail from .SE regarding secure DNS—DNSSEC. This new solution really grabbed my attention. Since I had previously worked with Secure Enduser Connection (or SEC) , I almost immediately saw the benefits that such a solution could give to a better and more secure Internet. In my work with SEC I had seen the problems caused by DNS-spoofing and that DNSSEC could now very well be the solution that got rid of that issue in the future. Naturally I started to dig and seek further information about DNSSEC…?I am a “native” BIND user and find that the Zone Key Tool / ZKT (http://www.hznet.de/dns/zkt/) from Holger Zuleger was a quick and easy way to start with DNSSEC. This tool is actually something that I still today use to sign and manage DNSSEC.

Back in 2006, as well as today, I lived in the city of Gävle and not far away from Ulf Bergkvist, then the IT Operations Manager at the municipality of Gävle. Myself and my company has now worked along side each other for more or less 20 years and since we are more or less neighbor’s we often run in to each other at his (physical) mailbox. By this mailbox we share some comments about the weather, the latest news, the price of milk and naturally also our work.

So sometime in May 2007, in the very early part of the Swedish summer, I shared some comments with Ulf about how we both should cut the grass on our lawn, but also some talk about my new found discovery—DNSSEC. An idea came into my head, what if the city of Gävle was the first municipality to sign their DNS zone with DNSSEC. If so, our hometown and municipality could reach enormous respect and be famous worldwide for their visionary thoughts. ...well, at least to some extent and in some areas of expertise :)

The .SE Press Release (in Swedish)I told Ulf my idea, right there by his mailbox, and he thought why not!

So, did Gävle then get its 15 minutes of fame and glory that we had hoped for? Well, it was the first one out and they got famous, but sadly not quite in the way that we expected…

From the discussion by Ulf’s mailbox, I went on and in September 2007 started to sign the domain gavle.se. By then the nearby municipality of Ockelbo had also gotten on the train.

Everything looked good so far. I worked closed with the staff at .SE, who monitored the process and were quite excited about the project. I should also add that during the summer I had signed my own company, interlan.se, with DNSSEC.

After the first day of work we were all quite pleased with ourselves and all relaxed and calm. But this feeling was about to change.

A few days later, again right by his mailbox, I met with Ulf Bergkvist. The grass on our lawns where still high but Ulf also told me that their support had noticed some cases where the user couldn’t reach the gavle.se domain from their home Internet access. We just shook our head, still a bit overconfident about our success, and decided to tell them to do the standard “troubleshooting 1A” and reboot everything at home.

Unfortunately the “troubleshooting 1A” didn’t do the trick and the following day even more support cases with the same problem were noticed. I then turned to my fellow mates at .SE. Together with the staff at .SE and Jakob Schlyter from Kirei I formed a taskforce and we started off into the wilderness to find a solution. After we had done some “sniffing” at the homes of some of the users with problem, we realized that if the ISP’s resolver had the latest BIND and also were the one validating DNSSEC, it sometimes didn’t work. After some more troubleshooting we found that the problem was that BIND returned the AD flag if the zone was signed, even if the client didn’t ask for it with the DO flag. We could also see that some of the routers that the users had in their homes accepted the AD flag, and some didn’t.

When we now had spotted and found the source of the problem, ISC quickly made a patch to fix this and the large ISP’s in Sweden also installed the patch rapidly. Two weeks later the domain gavle.se were resigned.

On this background .SE also launched a service to check the DNSSEC capability of routers (see: DNSSEC - Tests of Consumer Broadband Routers [PDF])

So meeting points, such as your neighbor’s mailbox, and the small talk that occurs thereby, can lead to quite extensive activities and can have input on a large amount of people. To put this into a somewhat greater scale, I have later been told that a very large Swedish bank where about to sign their domain, but upon our new learning and input pushed their project ahead. What if the bank had been the first one out and if a million people suddenly weren’t able to pay their bills??Well, my guess is that DNSSEC then had had an even steeper hill to climb in the reach of its success.

I therefore send my thanks to Ulf’s mailbox! :)

By Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Domain Management

Sponsored byMarkMonitor

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO


Sponsored byVerisign

Domain Names

Sponsored byVerisign