Home / Blogs

The Mailbox That Saved DNSSEC

Torbjörn Eklöv

The Ulf Berkvist's mailbox.A very long time ago, back in the ancient time of year 2006, the registry for .se domains, also called .SE (http://www.iis.se), opened up for signing .se zones with DNSSEC. In those days .SE did not have a registrar/registry model and my own company Interlan was then an agent for .SE.

One day I suddenly got a mail from .SE regarding secure DNS — DNSSEC. This new solution really grabbed my attention. Since I had previously worked with Secure Enduser Connection (or SEC) , I almost immediately saw the benefits that such a solution could give to a better and more secure Internet. In my work with SEC I had seen the problems caused by DNS-spoofing and that DNSSEC could now very well be the solution that got rid of that issue in the future. Naturally I started to dig and seek further information about DNSSEC...
I am a "native" BIND user and find that the Zone Key Tool / ZKT (http://www.hznet.de/dns/zkt/) from Holger Zuleger was a quick and easy way to start with DNSSEC. This tool is actually something that I still today use to sign and manage DNSSEC.

Back in 2006, as well as today, I lived in the city of Gävle and not far away from Ulf Bergkvist, then the IT Operations Manager at the municipality of Gävle. Myself and my company has now worked along side each other for more or less 20 years and since we are more or less neighbor's we often run in to each other at his (physical) mailbox. By this mailbox we share some comments about the weather, the latest news, the price of milk and naturally also our work.

So sometime in May 2007, in the very early part of the Swedish summer, I shared some comments with Ulf about how we both should cut the grass on our lawn, but also some talk about my new found discovery — DNSSEC. An idea came into my head, what if the city of Gävle was the first municipality to sign their DNS zone with DNSSEC. If so, our hometown and municipality could reach enormous respect and be famous worldwide for their visionary thoughts. ...well, at least to some extent and in some areas of expertise :)

The .SE Press Release (in Swedish)I told Ulf my idea, right there by his mailbox, and he thought why not!

So, did Gävle then get its 15 minutes of fame and glory that we had hoped for? Well, it was the first one out and they got famous, but sadly not quite in the way that we expected…

From the discussion by Ulf’s mailbox, I went on and in September 2007 started to sign the domain gavle.se. By then the nearby municipality of Ockelbo had also gotten on the train.

Everything looked good so far. I worked closed with the staff at .SE, who monitored the process and were quite excited about the project. I should also add that during the summer I had signed my own company, interlan.se, with DNSSEC.

After the first day of work we were all quite pleased with ourselves and all relaxed and calm. But this feeling was about to change.

A few days later, again right by his mailbox, I met with Ulf Bergkvist. The grass on our lawns where still high but Ulf also told me that their support had noticed some cases where the user couldn’t reach the gavle.se domain from their home Internet access. We just shook our head, still a bit overconfident about our success, and decided to tell them to do the standard “troubleshooting 1A” and reboot everything at home.

Unfortunately the “troubleshooting 1A” didn’t do the trick and the following day even more support cases with the same problem were noticed. I then turned to my fellow mates at .SE. Together with the staff at .SE and Jakob Schlyter from Kirei I formed a taskforce and we started off into the wilderness to find a solution. After we had done some “sniffing” at the homes of some of the users with problem, we realized that if the ISP’s resolver had the latest BIND and also were the one validating DNSSEC, it sometimes didn’t work. After some more troubleshooting we found that the problem was that BIND returned the AD flag if the zone was signed, even if the client didn’t ask for it with the DO flag. We could also see that some of the routers that the users had in their homes accepted the AD flag, and some didn’t.

When we now had spotted and found the source of the problem, ISC quickly made a patch to fix this and the large ISP’s in Sweden also installed the patch rapidly. Two weeks later the domain gavle.se were resigned.

On this background .SE also launched a service to check the DNSSEC capability of routers (see: DNSSEC - Tests of Consumer Broadband Routers [PDF])

So meeting points, such as your neighbor’s mailbox, and the small talk that occurs thereby, can lead to quite extensive activities and can have input on a large amount of people. To put this into a somewhat greater scale, I have later been told that a very large Swedish bank where about to sign their domain, but upon our new learning and input pushed their project ahead. What if the bank had been the first one out and if a million people suddenly weren’t able to pay their bills?
Well, my guess is that DNSSEC then had had an even steeper hill to climb in the reach of its success.

I therefore send my thanks to Ulf’s mailbox! :)

By Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Related topics: DNS Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

The Latest Internet Plague: Random Subdomain Attacks

Nominum Announces Future Ready DNS

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

Dyn Adds Chris Griffiths As New VP of Labs

DotConnectAfrica Registry Services Participates in ICANN DNSSEC Training at AFRALTI Nairobi

Neustar Launches Enterprise Professional Services Offerings

ARI Registry Services Expands Top-Level DNS Services With Bold Plans

What's in a Name Server?

DNS ROI: 5 Reasons Slow Website Speed Kills and Why Uptime Is a Necessity

Nominum Releases New Version of Carrier-Grade DHCP Software for Telecom Providers

SPECIAL: Updates from the ICANN Meetings in Prague

SPECIAL: Updates from the ICANN Meetings in Costa Rica

Being a .PRO When Choosing a Registry Services Partner

Sponsored Topics