Ten years ago today, and with 300,000 domains in the zone file, we introduced DNSSEC at .se. It was the end of a fairly long journey, or at least the first stage. The first Swedish workshop to test the new function according to the specifications from the Internet Engineering Task Force was arranged in 1999. At that time, I was still working in the IT Commission’s Secretariat, and the standard was far from complete as it turned out. Our ambition was to change the world, at least the world that exists on the internet.

(This is a translated blog post. You can find the Swedish version here.)

* * *

False DNS information creates the risk of leading email traffic to an undesired location, to steal information or disturb the transaction. For example, if a user wants a specific website, false DNS information makes the user go to a different website that can have false content or fraudulently entice the user to give sensitive information by representing someone other than the bank, tax authority, social insurance, or anything else. The DNS world knew this earlier but it took many years to produce an antidote. The answer to the question turned out to be DNS Security Extensions (DNSSEC), which makes it possible to detect the use of manipulated and falsified information from name servers through the use of digital signatures.

The fact that we were first that made it, we also had to invent all the wheels on our own. Well aware that we would be seen as role models for the rest of the world, we were very careful to document and make the transition in a controlled manner. Starting September 13th, we delivered a signed zone file to one operator each day. The idea behind this gradual process was that we would be able to handle any problems without time pressure. During a short transition period, NIC-SE, which we called it at the time, distributed both an unsigned and a signed version of the .se zone from our distribution points. Everything went through without problems and on September 16th we were finished with the transition.

The Swedish top-level domain was the first top-level domain in the world to introduce DNSSEC. However, it was not enough that the .se zone could handle DNSSEC. Name servers for underlying domains and the users name server that handled the lookup of names to the IP addresses, the so-called resolver, had to also be able to handle the technology. Through the years, we have had many efforts to persuade them to do this.

The supervising authority PTS has been very supportive of the work and they decided early on to test how hard it would be to implement DNSSEC. The result of tests carried out showed that the introduction of DNSSEC was generally simple to implement for name server operators. What was missing was automated and standardized tools for key generating and zone signing, which were important for the use of DNSSEC to take off and that the increased manual work would not negate the increased security that DNSSEC otherwise brought.

So here we are ten years later and the .se zone has grown to 1,257,830 domains of which 585,088 are signed. Most internet operators in Sweden validate answers signed with DNSSEC. DNSSEC is still the way to go to achieve increased trust in the DNS service and thus the internet. Today there are 895 top-level domains signed with DNSSEC.

Expensive? No.

There is free software for signing. An upgrade of one’s own IT environment must be done sometimes anyway. Take the opportunity when it happens and it won’t be so burdensome. There is well spread DNS software that supports validation. It takes only slightly more hardware and does not require much additional care.

Difficult? Nah.

It’s not hard to start signing, but it does require a little order in the IT environment, of course. It is also not difficult to start validating, but it requires more knowledge to understand and debug. With DNSSEC, troubleshooting is more difficult than traditional DNS.

What have we learned?

That we poked at an anthill and eventually by every means of persuasion, we got more and more registrars to sign customer domains revealing weaknesses and shortcomings in the available software, something that benefits everyone.

We learned that the carrot must be fairly juicy to attract registrars, so we introduced the opportunity to receive compensation for every registered domain provided they responded properly to DNS queries.

Our work with DNSSEC has given us experience—both internal and for others who work with DNSSEC; developers, registers, registrars and internet operators.

Are we done yet?

Signing of DNS with DNSSEC is only the beginning. Something we quickly found was that the signing of the domain name system with DNSSEC created a great distribution channel for other security attributes. One example is the recently accepted standard Domain-based Authentication of Named Entities (DANE).

To blindly trust a large number of Certificate Authorities (CA) as we do today because they are pre-installed in, for example, browsers is stupid. A CA, who suffered an infringement or is simply an evil person, can issue certificates for any domain. We have seen many examples that have occurred over the past 2-3 years. DANE makes it possible for domain administrators to certify the keys used in the domain’s TLS clients and servers through storing them in DNS. This also allows DANE domain holders to specify which CA is allowed to issue certificates for any domain.

There is still a need for work to convince more registrars, for still not all registrars have signed either their own or their clients’ zones. There continues to be a need to work to convince more domain holders, above all those representing important society functions.

We thought earlier, perhaps naively, that all important functions in society would find that DNSSEC was the way to go to protect their users and customers. We could not have been more wrong. If we take Swedish banks, they are not all on track. Most municipalities are signed, but of those who are signed, not everything has been done right when it comes to DNS operations. 65 of 217 government agencies have signed their domains also with mixed results.

Patience is a virtue. I have plenty of that commodity. I think that more people will discover the need for DNSSEC. If you want to know more about what is happening in the world, ISOC has much information. Please contact us if there is something you have missed or that you think IIS can contribute to when it comes to further development of a secure internet.