auDA has announced it is implementing and trialling DNSSEC to add extra security to the .au domain name space.
DNSSEC had been introduced after security breaches, described by ICANN: “Recently vulnerabilities in the DNS were discovered that allow an attacker to hijack this process of looking some one up or looking a site up on the Internet using their name… tak[ing] control of the session to, for example, send the user to the hijacker’s own deceptive web site for account and password collection.”
The past vulnerabilities led to calls for greater protective measures in the DNS space, with DNSSEC providing protection to the directory look-up and complementing other technologies such as SSL, acting as a security extension that “facilitates the signing of Internet communications, helping to ensure the integrity and authenticity of transmitted data.”
A statement on auDA’s website details its introduction of DNSSEC, with the trial period to last four months.
“In the .au domain space auDA is taking a step towards securing the layer between the .au zone and the root (“.”) zone,” it says.
auDA acknowledges DDNSSEC still provides challenges and isn’t a flawless system, affirming its knowledge of the difficulties in the system.
“Whilst it offers a level of trust for Internet users, where responses can be authenticated and queries verified, [DNSSEC] also introduces a new level of risk for registry operators. DNSSEC requires the inclusion of cryptographic keys in the DNS and at times frequent editing of a zone file. This level of interaction and the complexity of cryptographic keys increase the risk of error during a zone change or update. An error made to a signed zone can cause a zone to appear offline or bogus to validating resolvers.”
Therefore, auDA stresses the current phase of the implementation is experimental and may not be wholly efficient during its early stages.
“auDA has taken a cautious approach to introducing DNSSEC into the .au space. This approach has allowed auDA to wait for equipment, services and processes to mature and ultimately reduce the risk to the .au domain space. Over the past 18 months auDA has conducted and completed substantial testing on multiple systems, utilising various hardware and software, in preparation for signing the .au zone.
The signed .au zone will be considered “experimental” at this time. During this experimental phase, auDA cannot and will not guarantee continued service or stability of the signed .au zone. auDA accepts no responsibility for those who may experience outages caused by enabling DNSSEC validation against the .au zone in a production environment.”
At the conclusion of the trial, auDA plans to “submit DS records to IANA (Internet Assigned Numbers Authority) for inclusion in the root zone.”
An email address, firstname.lastname@example.org, was provided as the main point of communication with auDA regarding DNSSEC, acting as a mailing list for user feedback and announcements of important developments.