DNS-Labs' main focus is always DNS and how to promote the use of DNSSEC on the internet. This is what the team is currently working on.
Improvement of Multi-Signer DNSSEC
DNS-Labs at The Swedish Internet Foundation has during early 2021 worked with Shumon Huque of Salesforce and the internet pioneer Steve Crocker to solve the problem with multi-signer DNSSEC.
The aim of the project is to solve two problems. One is making it possible to have multiple operators independently hold their own keys and be able to sign on behalf of the same customer. The other is making it possible for a customer to move their service from one zone or DNS provider to another without any downtime or other disruptions.
To do this, the systems that the DNS providers use have to send and receive keys to and from other DNS-systems. Coordinating the handovers has traditionally been a challenge, however.
The new software that the team is working on will take the keys from one system to the other, synchronize the hand-over and eliminate the errors on the way. The result is a smooth signing and resigning of DNS, without disruptions.
The project solves a basic problem with DNSSEC that has been around since it first was implemented. Multi-signer DNSSEC might not be used on a daily basis but will hopefully be a go-to solution for DNS providers when the need arises.
A functioning version of the software is expected to be finalized by midsummer of 2021. The team hopes that it will ultimately make the roads of the internet a bit smoother.
Implementation of CDS/CDNSKEY
The implementation of CDS and CDNSKEY functionality for the .se and .nu zones is one of several initiatives from The Swedish Internet Foundation to make it easier to enable DNSSEC. This project is developed in close cooperation with our IT-Development team, which implements the function into our registry system.
This is DNSSEC
The security extensions make the internet safer by protecting information from manipulation when it passes through the domain name system.
This functionality allows a name server operator to enable DNSSEC for zones they handle without the need to contact the responsible registrar.
CDS/CDNSKEY is a recent functionality which is currently being implemented among registries. One organization that already has implemented this is .cz in the Czech Republic. By implementing the functionality for the .se and .nu zones, DNS-Labs and The Swedish Internet Foundation aim to make CDS/CDNSKEY a standard functionality among registries.
DNS-Lab will also implement scanning for CSYNC records (RFC7477). This will allow name server operators to update more technical domain information without relying on a registrar.
The .se domain is one of the leading country code top-level domains in the area of DNSSEC, and this project goes hand in hand with The Swedish Internet Foundation’s efforts through DNS-Labs to promote DNSSEC worldwide.
Transition from NSEC3 to NSEC
After extensive testing by DNS-Labs during the fall of 2020, The Swedish Internet Foundation successfully migrated the .nu domain from NSEC3 to NSEC.
The purpose of both NSEC3 and NSEC is knowing when a name exists within a zone. This prevents malicious actors from sending fake negative responses to queries. When The Swedish Internet Foundation took over the operation of .nu in 2013 it came with NSEC3 enabled, while .se has been using NSEC.
The purpose of the migration was to increase homogeneity between the two zones, and reduce complexity for .nu. Since the zone files are published online there are no technical requirements to use NSEC3. Stability was also a concern since some European top-level domains have experienced operational issues with NSEC3. In late 2020, .nu became the first large TLD in the world to complete such a transition.
The operation fits perfectly within DNS-Labs' focus on research and development as well as sharing practical knowledge with others to contribute to a more robust and secure internet.