Home / Blogs

First gTLD Signed: Dot Gov

Today is a historic day as the first generic Top-Level Domain (gTLD) has been signed. Only a few other top level domains, all of which are country code Top-Level Domains (ccTLDs), have been signed to date. This step is part of the first phase of adoption. Authoritative DNS servers need to sign and publish their zones. The second part is for the resolvers on the Internet to validate the keys. Both systems working together will provide security in the DNS.

We have a test bed setup that you can try at and as part of our commitment to seeing DNSSEC implemented.

To take a look, notice the "ad" specified in the flags section. It stands for authenticated data.

dig @recursive.dyn-dnssec.com gov. +dnssec

; <<>> DiG 9.3.4-P1.1 <<>> @recursive.dyn-dnssec.com gov. +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22568
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnsops.gov.  IN A

;; AUTHORITY SECTION:
dnsops.gov.  3491 IN SOA snip1.dnsops.gov. admin.dnsops.gov. 20081121 43200 43200 1209600 3600
dnsops.gov.  3491 IN RRSIG SOA 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. Rx7i6V7Q0hEGxmkGtwfqXKROuL4cR/7QaPjrYUuOgqPREysRfS2Sbuw5 MIKDFUpviB0w3cLyeUiDsH9rCzL14atqpeU47LMhmeaUYv6Jyr8bk7YE HoVQYwnF5/LpOrBjbKDDeLPV4hOIc+miyz8aXpobWnYhXjs/cAZ7TV8W Gt0=
dnsops.gov.  3491 IN RRSIG NSEC 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. gv9ce1tAOEjFqoYRI0muEuMKcuwCaE3htGcKLDo4adMub+5Bgt7on6Fp JIdM5QD4p8j4cl++uZn+Q1ky5iOTQZY+Od2kplzoDZ2RiNgORpfJtUq9 F7dR3pf/1MYraAa5lpQ3lmhNDWtqUe7F1V2w+bnjxMdJ0t0wC7iMSVvE A24=
dnsops.gov.  3491 IN NSEC antd.dnsops.gov. NS SOA MX RRSIG NSEC DNSKEY

For those who want to add the key to their resolver, add the follow key (and dnssec-enable yes; dnssec-validation yes;)

trusted-keys {
"gov." 257 3 7 "AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RIm
K7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ+v3vIQFi09IqsPeRdHTQyghWWbhzAZpnlZ16imXB4
yFZjdbV2iM66KcgsESQMPEcIayDQJh6JEi1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDF
dmsSwChRMcORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7rf08l3QlgHEuxclT
TdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcUCeVm4Hf2aM8=";
};

The only concern right now is that the key is only published in the apex of their zone. Right now, there is no secured out of band channel to get it from (I pulled it from an email who got it in the zone data). This is a huge operational challenge as other TLDs become DNSSEC enabled.

By Jeremy Hitchcock, DNS and networking engineer, CEO at Dyn Inc

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

operational challenge partially solved By Carl Byington  –  Feb 04, 2009 10:14 pm PDT

The dns operational challenge of getting a LOT of dns servers to trust your key has been partially solved by the ISC dlv registry. You can just add

dnssec-lookaside . trust-anchor dlv.isc.org.;

to your named.conf configuration, together with the appropriate trusted-keys for their registry. That gives you one single trust anchor to maintain, and pushes the job of out-of-band secure verification onto ISC, so every individual DNS administrator does not need to do it.

Please get this .gov key added to the ISC dlv tree.

Still in test mode .... but coming along nicely By Doug Montgomery  –  Feb 05, 2009 2:15 pm PDT

Check below for status of DNSSEC at .gov
https://www.dotgov.gov/dnssecinfo.aspx

Still in test mode at the moment, but coming along nicely.  dnsops.gov. is the domain used for the SNIP (www.dnsops.gov) and is being used in testing the .gov. roll out.

dougm

check a web site and go to jail? By Carl Byington  –  Feb 05, 2009 6:11 pm PDT

Well, I might be curious about the status of DNSSEC in .gov, but not at the cost of going past the following text: 

Warning! Use of this site is restricted!

This computer system is for the use of the United States Government. Unauthorized access, or access which exceeds authorized access is punishable under 18 USC 1030.

Let us know how that works out for you.

The facts .... By Doug Montgomery  –  Feb 05, 2009 7:24 pm PDT

I noticed that too and am trying to get it fixed.  Status page got put behind the login interface for secure delegations (not really ... if you click past this it still shows the status).

Anyway, for those scared off by the warnings ... here is what is says:

***************NOTICE***************

The DotGov is in the process of testing DNSSEC technologies and deployment scenarios for the .gov TLD.

As part of this testing you may notice DNSSEC resource records appearing in the TLD periodically. For the time being, such records should be considered as experimental and these test DNSSEC services are subject to fluctuation and change without further warning. In particular, we recommend not using this experimental service as the basis for validation on production resolvers.

Once testing is completed we will make the official production DNSSEC service declaration announcement on this site. Testing is expected to continue through February.

If your agency wishes to participate in the DNSSEC testing please contact the DotGov help desk. Please address the subject line as DNSSEC TESTING and we will contact you with information.

*************************************

What about .museum ? By Patrick Vande Walle  –  Feb 06, 2009 3:28 am PDT

I do not wish to minimize the efforts of the US General Services Administration to deploy DNSSEC, but I would note that the first sponsored gTLD to be signed was actually .museum. See Musedoma's request to ICANN, and its subsequent approval of a limited testing.

PIR has also taken steps in that direction, which were approved by the ICANN board, but no such request from .GOV has yet been submitted, to my knowledge.

Correct By Eric Brunner-Williams  –  Feb 07, 2009 6:49 am PDT

Thank you Patrick. If we were second, or third, we'd still be quite pleased that .museum is signed, and Carl's comment upthread is spot on.

See you in Mexico.

For the general CircleID reader, I'm the CTO of CORE, which operates the .museum registry back-end, and which signed this zone. Next up for us is signing .cat.

I hope CircleID will fix the misleading title of this article By Stephane Bortzmeyer  –  Feb 09, 2009 6:46 am PDT

But I'm not optimistic :-(

I'm hoping that PIR is going to By Jeremy Hitchcock  –  Feb 07, 2009 3:00 pm PDT

I'm hoping that PIR is going to be submitting pretty soon, sounds like they are getting close.  Eric, what's the best way to receive museum's key?  Looks like it's in DLV but do you distribute it elsewhere?

TLD operators can and should submit keys to both IANA's ITAR at https://itar.iana.org/ and ISC's DLV Registry.

.MUSEUM not in DLV By Stephane Bortzmeyer  –  Feb 09, 2009 6:45 am PDT

Sorry but, unlike you, I see no .MUSEUM in the ISC DLV registry.

Ah, the key is just in OARC's By Jeremy Hitchcock  –  Feb 09, 2009 6:51 am PDT

Ah, the key is just in OARC's open resolver and thought it was because they had uploaded the key.  I see the page https://www.dns-oarc.net/oarc/services/odvr now which lists that the key is not verified.  Sorry for the confusion.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign