News

2010.02.11

Workshop DNSSEC

We apologise but this news isn't available in the english version. If you want to read it anyway you can use a translation tool.

More information (just in Portuguese) at Jornadas RCTS.

Jornadas RCTS Homepage Subscription to Jornadas RCTS
Cartaz das Jornadas RCTS


2010.01.07

FCCN makes .PT more secure and is among the first ccTLDs in the world to use DNSSEC:

At the very beginning of 2010, the FCCN (Foundation for National Scientific Computing), the entity that manages the DNS system for attributing domain names on the Internet under .PT, signed the .PT top-level domain using the DNSSEC standard, joining Portugal to the small group of countries that have adopted this standard for their top-level domains. The DNSSEC standard consists of security extensions to the DNS protocol, thereby introducing security mechanisms that enable a number of the main problems in this area to be resolved.

More information at http://www.dns.pt.


2010.01.06

.PT Signed with DNSSEC:

At the beginning of 2010, the FCCN signed the .PT ccTLD with DNSSEC and we would therefore like to inform all those whose domains are delegated under .PT about any possible impacts and potential consequences of this signing. The DNSSEC consists of a series of security extensions to the DNS protocol which now enable data in a DNS zone to have a digital signature, enabling the end customer to authenticate this data and its origin.

The consequence of the .PT signing:

With the DNS protocol (RFC 1035) it was assumed that requests for large data packages would be very rare and the maximum size of DNS messages was presumed to be 512 bytes.

One of the most visible changes that DNSSEC introduces is the fact that DNS responses are larger. Each set of resource records (RRset) has a digital signature (RRSIG) associated to it. In the majority of cases the DNS responses will be greater than 512 bytes. To put an end to this problem, a working group from the IETF developed the EDNS0 extensions, which enable a customer to carry out larger DNS requests and the servers to send larger responses, up to 4096 bytes. For all purposes, the EDNS0 would be the solution to the increase in DNS traffic as almost all the responses are within the 4096 bytes, and the DNSSEC would operate without any problem.

But in reality, it is shown that the larger DNS packages are perhaps not being correctly processed by the Internet. Some firewalls and other devices reject DNS packages that are over 512 bytes. In other cases, the packages are fragmented on the way by the routers and the destination cannot associate the fragments, which are then rejected. So the DNS customers have to carry out the request again, using smaller sizes until they obtain the response or else force the request by TCP.

It is important that all network administrators, name servers and resolvers, depending on their knowledge of their infra-structure, should determine the obstacles they may face following .PT’s signing with DNSSEC and consequently the domains under .PT that have already begun to join, as well as the root signing, which is programmed for 2010 and that of the other TLDs.

For domains that are already signed or in the transitional stage:

As the DNS is a simple and fundamental protocol, in order for it to operate correctly it must be properly configured, and so it is good practice to have more than one name server with the information from a certain zone. If the zone is signed with DNSSEC, the technical contact should make sure that the various name servers are DNSSEC compatible so that when questioned they supply the same DNS information between them.

When a DNS is signed, its digital signatures have an expiry date, which by default can be one month, or else it is indicated when the zone is signed by the administrator. The important thing when managing signed DNS zones is that maintenance for revalidating the zone signing is carried out, which may be manual or automatic, which means that before the signatures’ (RRSIG) expiry date is reached, the zone signing must be revalidated by re-signing it. If not, when DNS information is requested securely from a domain, whose signatures have expired, it will result in a lack of response, as if the domain no longer existed.


2009.11.12

1st Workshop of National Network of CSIRTs:

As part of the 1st Workshop of the National CSIRTs organized by CERT.PT and held on LNEC facilities several presentations were made including one of DNSSEC in. PT.

Check here the presentation and was also handed the document Porquê DNSSEC? (Why DNSSEC?) both in portuguese.


2009.10.04 and 2009.10.06

21st CENTR Technical Workshop and RIPE 59 in Lisbon:

Last week was held in Lisbon two important conferences where was debated the most recent technology developments on the Internet in an International level. On the 4th of October occurred the 21st CENTR Technical Workshop in SanaMalhoa Hotel and from 5th to 9th of October took place the RIPE 59 in Hotel Corinthia. FCCN was present, contributing with several presentations particularly on the latest developments on DNSSEC .pt Project.

You can see here the presentation or in http://www.dns.pt.


Older news were not publish in the english version.

Sorry!!!

If you want to read it, you can use google translation.