AuDA starts final round of DNSSEC tests

August go-live

1 Reg comments Got Tips?

AuDA has taken a tentative step towards the introduction of DNSSEC into the Australian domain space, signing the .au domain in its production environment as the first step in a four-month test.

DNSSEC has been possible for years, but has been held back by industry inertia. Under DNSSEC, a DNS (domain name system) record is signed, allowing resolvers to authenticate the relationship between domain name and IP address.

The glacial rollout has, however, gathered some small momentum in response to the increasing use of the DNS as an attack vector (for example, via redirections). Last year, Google began validating DNSSEC records in its public DNS resolvers.

The problem for the ordinary sysadmin is that DNSSEC is needed all the way up the chain, from their own site back to the root zone – meaning that AuDA rollout is a vital step in the deployment of the protocol for .au sites.

AuDA explains that it has taken a cautious approach over the last 18 months because the protocol “introduces a new level of risk for registry operators. DNSSEC requires the inclusion of cryptographic keys in the DNS and at times frequent editing of a zone file. This level of interaction and the complexity of cryptographic keys increase the risk of error during a zone change or update. An error made to a signed zone can cause a zone to appear offline or bogus to validating resolvers”, the organisation writes.

Right now, the body says, the signed .au zone is experimental. Over the next four months, the group plans to use the signed domain to finish testing its own processes for supporting signed domains, including production load tests, testing signing events, and helping second-level domain owners add their own signed records into the .au zone.

The plan is that on August 28, AuDA will submit its record to IANA – and DNSSEC will be available for .au domain owners. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Asia’s internet registry APNIC finds about 50 million unused IPv4 addresses behind the sofa

About three /8’s worth is a decent chunk of the total pool and locals unready to go all-in on IPv6 are hungry

DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline

Microsoft, BIND, Google, Cloudflare, Amazon, others fix up software or offer workarounds

Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT

Plus: Web giant hears developers' extension concerns, ignores them

Macs, iPhones, iPads to get encrypted DNS – how'd you like them Apples?

WWDC Cupertino idiot-tax corp is fashionably late to the party

Microsoft joins Google and Mozilla in adopting DNS over HTTPS data security protocol

Some concerned it hands too much power to too few

Cloudflare is over the moon because its pro-privacy 1.1.1.1 DNS service got a clean bill of health from everyone's favorite auditor – KPMG

Proved for all sites, proved for all sites, there is nothing else we can do

Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers

Last November: These ISPs know too much! June: God bless the ISPs

Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North

L’ACEI lance le Bouclier canadien dans le but de protéger gratuitement la vie privée et la sécurité des Canadiens en ligne

Biting the hand that feeds IT © 1998–2020