/ DNS & DNSSEC

There is more to .at than you may think: Every time you enter a domain name into the address bar of your browser, a request process begins. Within milliseconds the process takes you to your desired destination online. This is possible thanks to the domain name system (DNS).


DNS - Domain Name System

The Domain Name System (DNS) is vital in order to ensure that the desired internet websites can be reached and that e-mails find their way to the addressee. Via DNS the names (domains) are translated into IP-addresses and vice versa. IP-addresses are used for the identification of computers on the internet. They consist of number strings separated by dots (e.g. 131.130.1.11). In technical terms, these IP-addresses would be sufficient to address websites and send e-mails. However, IP-addresses are not user-friendly, because they are only hard to remember and do not contain any additional information. As a result, a name structure was introduced in order to simplify the internet navigation: the Domain Name System (DNS). The international organisation ICANN (Internet Corporation For Assigned Names and Numbers) is responsible for the root level of the DNS and coordinates the administration of the appendant root-nameservers. The responisbility for the administration of the country-specific Top-Level Domains has been taken over by organisations that have been established by the local internet communities - which is nic.at in Austria.

DNSSEC - Domain Name System Security Extensions

DNSSEC stands for Domain Name System Security Extensions. These security extensions for the DNS guarantee both authenticity and data integrity of DNS transactions. In other words, by using DNSSEC you can be sure that you will access the domain you actually want to reach. DNSSEC ensures that your domain queries will be responded by the relevant server without being manipulated during the process. DNSSEC prevents the so-called ‘cache poisoning’, which means forging DNS data and redirecting the user to manipulated websites. DNSSEC is based on the signing of DNS entries with cryptographic keys. For each zone, i.e. from the root zone to the Top-Level domain to the domain, there are special key pairs. Each key pair consists of a public and a private key, whereas the zone is signed with the secret private key, and the public key is published in the zone itself for verification. In a chain of trust the higher-level zone validates the zone below: the root zone validates the public key of .at, and the .at-zone validates the public key of a .at-domain. The public key of the root zone is configured in the recursive nameservers, which guarantees the validation of the chain of trust. Therefore, a comprehensive signing on all levels is essential. This is provided by ICANN (for the root zone) and nic.at (for .at), but full security is only guaranteed if the registrar signs all domains administrated by him. This is the only way to completely validate DNS information.

Who benefits from DNSSEC?

  • The Internet community benefits from a better Internet security.
  • Registrars can offer new services to their customers.
  • Access providers provide unaltered domain queries to their customers.
  • Domain holders protect their domains from unauthorized DNS attacks.
  • Institutions with online payment (e.g. banks, web-shops etc.) or sensitive data transactions can protect their customers from misuse and gain confidence in the world-wide web.

DNSSEC for .at

For .at-domains DNSSEC was made available to the public on 29/02/2012. In a preceding testing phase, registrars have had the opportunity to test the system and gain experience. At the same time, nic.at was performing comprehensive tests and taking security precautions to get ready for the implementation, as other registries have repeatedly experienced problems during the launch of DNSSEC.

Nameserver configuration

In order to register a domain, nic.at requires at least two correctly configured name servers. The configuration is also checked during each proximate modification of data. Errors in name server configuration result in the rejection of domain applications. The check categories for name server checks are described under the heading automatic application check.

The most popular domain name server (DNS) software is BIND, which manages the DNS service within the network. As a principle, the latest BIND version should be installed (as for any software), because newer versions usually take into account safety gaps and other problems. The latest version is available under: http://www.isc.org/downloads/BIND/