Två händer jobbar med DNS på ett tangentbord

Solving the decade-old problem with Multi-Signer DNSSEC

The Swedish Internet Foundation has for the last couple of months been working together with Shumon Huque of Salesforce, and the Internet pioneer Steve Crocker. Together they are solving the problem with multi-signer DNSSEC.

In this interview Nicklas Pousette, head of The Swedish Internet Foundation's DNS-Labs, and Steve Crocker share their view on the development of multi-signer DNSSEC.

The multi-signer project aims to solve two problems. Firstly, making it possible to have multiple operators independently have their own keys and be able to sign on behalf of the same customer. Secondly, to make it possible for a customer to move their service from one zone to another, or from one DNS provider to another, without any downtime or other disruptions.

To achieve this, the systems that the DNS providers use have to be able to send and receive keys to and from other DNS-systems, where one of the challenges lies in coordinating the hand-overs. Steve exemplifies this with two musicians in an orchestra. For it to become a composition, they both need to follow the same notes, and a conductor that directs the performance. The software that the team is currently developing will act as the conductor, taking the keys from one system to the other and synchronizing the hand-over, eliminating any errors. Ultimately ensuring a smooth signing and resigning of DNS, without disruptions.

Making DNSSEC easier to use

In a way, this project solves a basic problem with DNSSEC, one that has been around since DNSSEC was implemented. Multi-signer DNSSEC is not something Steve or Nicklas think will be used on a daily basis, but rather as a go-to for DNS-providers when managing previously mentioned scenarios. When asked about the project, Nicklas answers:

“We all agree that DNSSEC is a good thing, and that the multi-signer will benefit us all. It is a small step to making DNSSEC easier to use and we hope to accelerate the adoption of this protocol.”

An open and flexible software

Another challenge is that the Internet over the years has become a patchwork of several different solutions. The multi-signer software therefore needs to be as open as possible, to have a higher likelihood of working with multiple systems. The development of a functioning version of the software is expected to be finalised by midsummer this year. However, having the software is just the first step.

Once we have the software, the real work begins - getting it adopted by operators and DNS-providers. For this to happen, we need a proof of concept, something our team is currently working on with select DNS-systems. The full adoption of DNSSEC is expected to take another two years from final launch.

Looking forward to the work of others

Steve emphasizes that the team's development process is ongoing but one of the important milestones they are looking forward to is when others start building on this effort, he explains:

“Once we have a working solution in place, one of the milestones towards success will be when other projects spring up based on this work. Then it will be evident that we've passed the initial phase and have been successful in the sense that the idea is established and we're on a good path.”

Both Nicklas and Steve are convinced that this will be a successful project and that multi-sign DNSSEC will ultimately “make the roads of the Internet a bit smoother”.

Medarbetare står och samtalar i möte med laptops

This is DNS-Labs

The DNS research and development team at The Swedish Internet Foundation encourages the development of new technologies and solutions within DNS to make the internet more stable and secure.