Language List
Bottom Edge
HomeAbout .ORGGet a .ORG DomainStrengthening the InternetNews / EventsPublicationsAbout PIRInternet SocietyWeb ResourcesRegistrar ResourcesSearch This Site
Registrar Resources
Registrar Resources
Registrar Relations Area
Become a Registrar
Step 1: Apply
Step 2: Meet Technical Requirements
Step 3: Complete Business and Legal Documentation
FAQs
General Questions
Registrar Toolkit Questions
OT&E Certification Questions
Registrar Security Questions
DNS Security Questions
Zone File Access
DNS Security Testbed
DNS Security
1. What is DNS Security (DNSSEC)?
2. What is an answer in DNSSEC?
3. What does DNSSEC protect against?
4. How does DNSSEC protect against this attack?
5. What is a DNS resolver?
6. Will this .ORG zone be "live" in the DNS?
7. Will this .ORG zone be prepopulated?
8. Will the DNS for the testbed be accessible to the public?
9. How will people be able to see domains in the testbed DNS?
10. How many connections will be available to registrars in the testbed?
11. Will registrars be charged for registering domains in the testbed?
12. What DNSSEC information will be collected in the testbed using the EPP (Extensible Provisioning Protocol) extension?
13. What is a key rollover?
14. What would happen if people did not update their resolvers with the new .ORG zone key?
15. Since this could cause resolution problems, why would PIR ever do a key rollover?
16. How does a scheduled rollover prevent key compromise?
17. Do you plan a scheduled key rollover in the DNSSEC testbed?
18. How will people be made aware of a key rollover?
19. How many domains can be registered in the testbed?
20. How is a DNSSEC registration different from a current .ORG domain registration? What additional data are collected?
21. Where can I go to learn more about DNSSEC?


1. What is DNS Security (DNSSEC)?
DNSSEC is an addition to the Domain Name System (DNS) protocols; it is designed to add security to the DNS by protecting the Internet from certain attacks, such as DNS cache poisoning. It is a set of extensions to DNS, which provide origin authentication of DNS data, data integrity and authenticated denial of existence.

All answers in DNSSEC are digitally signed. By checking the signature, a DNS resolver is able to check whether the information is identical (correct and complete) to the information on the authoritative DNS server.

2. What is an answer in DNSSEC?
The standard DNS works using the facilities described in RFC 1034 and RFC 1035. An answer is one of the four sections that carry query parameters and Resource Records (RRs). As RFC 1034 states:

The four sections are:

Question: Carries the query name and other query parameters.

Answer: Carries RRs that directly answer the query.

Authority: Carries RRs that describe other authoritative servers. May optionally carry the SOA RR for the authoritative data in the answer section.

Additional: Carries RRs that may be helpful in using the RRs in the other sections.

3. What does DNSSEC protect against?
Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without question. If a malicious person were to send back an incorrect response (such as an address to a Web site that was really a phishing site), the resolver would use this address until its cache expired. This is referred to as a "man in the middle attack."

4. How does DNSSEC protect against this attack?
Each piece of DNS information (e.g., NS, A, MX, SOA records) has a digital signature attached to it. The resolver, using keys in a similar manner to PGP (i.e., a key pair system used to secure e-mail), verifies the signature. If it does not match, the domain will not resolve, and the resolver discards the response and waits for another.

5. What is a DNS resolver?
A DNS resolver is the program on a user’s computer that sends the query to the DNS. Once a response is received, the resolver returns the response back to the end user’s application.

6. Will this .ORG zone be "live" in the DNS?
No, it will only exist within the testbed.

7. Will this .ORG zone be prepopulated?
The .ORG zone in the DNSSEC testbed will not be prepopulated with registrars’ existing domains.

8. Will the DNS for the testbed be accessible to the public?
Yes, but only by accessing the name server directly (please see next question).

9. How will people be able to see domains in the testbed DNS?
By doing a "dig" on the testbed servers directly (i.e., dig@testbed.nameservertestbed.example.org).

10. How many connections will be available to registrars in the testbed?
In the DNSSEC testbed, only one connection per registrar will be available.

11. Will registrars be charged for registering domains in the testbed?
No, there will be no fee for registering domains in the testbed.

12. What DNSSEC information will be collected in the testbed using the EPP (Extensible Provisioning Protocol) extension?
The Delegation Signer (DS) information will be collected. The DS Resource Record type simplifies some of the administrative tasks involved in signing delegations across organizational boundaries — in this case, between the registrant and the registry. The DS RRset resides at the .ORG registry and indicates the public key(s) corresponding to the private key(s) used to self-sign the DNSKEY RRset at the registrant’s apex. The administrator of the registrant’s zone, in turn, uses the private key(s) corresponding to one or more of the public keys in this DNSKEY RRset to sign the registrant’s data. For more information, see RFC 4033 and www.ietf.org/rfc/rfc4310.txt.

13. What is a key rollover?
A key rollover occurs when the .ORG registry needs to change its side of a key pair. This will mean that the .ORG zone will need to be resigned and that the public will need to update their resolvers with the new public portion of the .ORG zone key. A key pair contains two digital keys — a private key (held only by the .ORG registry) and a public key (distributed to the public).

14. What would happen if people did not update their resolvers with the new .ORG zone key?
Once the old key is purged, domains in the .ORG zone that were signed would no longer resolve for those people who did not use the new .ORG key.

15. Since this could cause resolution problems, why would PIR ever do a key rollover?
There are two reasons. The first reason would be if the .ORG private key were compromised (i.e., stolen) and had to be immediately revoked. The second is for prevention of compromise, where a key rollover would be scheduled at regular intervals.

16. How does a scheduled rollover prevent key compromise?
Cryptographic signatures are not secure for all time: They are subject to cryptanalysis. It is therefore possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks. Every attack takes time, however, so changing the key from time to time decreases the length of time an attacker has to attempt the compromise.

17. Do you plan a scheduled key rollover in the DNSSEC testbed?
Yes, but the date is yet to be determined.

18. How will people be made aware of a key rollover?
It will be announced on the PIR Web site.

19. How many domains can be registered in the testbed?
There will be no limit on domain registrations because more registrations will provide a better test of the DNSSEC system.

20. How is a DNSSEC registration different from a current .ORG domain registration? What additional data are collected?
A DNSSEC registration can be identical to the current .ORG domain registration. In such a case, the registered domain would not benefit from the assurances provided by DNSSEC. Alternatively, a DNSSEC registration can include the additional Delegation Signer information. That information is provided using the DNS Security extensions for EPP (see www.ietf.org/rfc/rfc4310.txt).

21. Where can I go to learn more about DNSSEC?
The dnssec.net and dnssec-deployment.org Web sites are both excellent resources to learn more about DNSSEC.


Whois Search
    .org  
advanced search >  help >
What's New
The latest issue of The World of .ORG, a quarterly e-newsletter with information and resources for the .ORG community, is available in the Publications section.
more >
A Dot-Org Stresses That It's No Dot-Com Read a New York Times article about TIAA-CREF's new powerof.org Web site.
more >
Alexa A. S. Raad named new CEO of Public Interest Registry.
more >
Get .ORG News
Sign up to receive the latest news about .ORG, including our quarterly e-newsletter.
more >
Top Edge
HOME   |    ABOUT .ORG   |    GET A .ORG DOMAIN   |    STRENGTHENING THE INTERNET   |    NEWS/EVENTS   |    PUBLICATIONS
ABOUT PIR   |    INTERNET SOCIETY   |    WEB USER RESOURCES   |    REGISTRAR RESOURCES   |    SEARCH THIS SITE

© 2005 Public Interest Registry
© 2006 Public Interest Registry        Privacy Policy | Terms of Use
Contact Us | Glossary