Image

Atomia Products DNS

DNSSEC is coming – Are you ready?

The demand for DNSSEC is growing and by 2015 .SE Registry is planning to have the entire zone signed. Is your platform ready to embrace DNSSEC? Atomia is.

In this blog post we will give you a short introduction to DNSSEC, explaing why it is important and how it works in Atomia.

Background to DNSSEC

One of the essential elements that allowed internet to evolve into its current stated is the Domain Name System (DNS). It is used in almost every interaction using names as identifiers: web browsing, e-mailing and spam filtering, to name a few. DNS was designed to be fast, not secure, and one of the fundamental architectural components of DNS is caching nameservers, that opens up for tampering DNS data (DNS spoofing and DNS cache-poisoning) during look ups.

Some noteworthy domain names that have been subject for attacks:

  • CitiCards.com
  • AmericanExpress.com
  • FedEx.com
  • DHL-USA.com
  • Sabre.com

This issue has been known for many years and about ten years ago Domain Name System Security Extensions (DNSSEC) was first introduced.

DNSSEC is designed to deal with this and other DNS vulnerabilities and its major objective is to validate the authenticity and integrity of DNS messages in way that tampering with the DNS information anywhere in the chain will be detected.

The biggest drawback of DNSSEC is that it (because of the distributed nature) has to be deployed by a significant number of DNS data providers before it becomes relevant. A big leap forward for DNSSEC was taken in July 2010 when ICANN signed the root zone.

One of the registries who have been pushing DNSSEC is .SE (the registry for the Swedish TLD), their outspoken goal is to have the entire zone signed by 2015.

For registrars/domain resellers this means that they have to become DNSSEC ready sooner rather than later. Signing and renewing zones and reloading the DNS should be fully automated and there should not be a “project” to add support for new TLDs.

This is where Atomia can help, our platform supports full DNSSEC automation out of the box and let you focus on selling hosting plans instead of running integration projects.

How it works in Atomia

With Atomia you will get DNSSEC support out of the box, but for this blog post we will give you the details on what is happening in the background and what components are affected.

Atomia Automation Server

HostedDNSSEC must be set to 1 in the Automation Server Configuration file. This is the default setting.

Atomia DNS

Atomia DNS will generate the needed DNSSEC keys and sync them togeahter with unsigned zone data in PowerDNS. This can be carried out automatically during installation or manually afterwards by running the following commands:

atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 2048 --arg KSK --arg 1
atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 1024 --arg ZSK --arg 0
atomiadnsclient --method AddDNSSECKey --arg RSASHA256 --arg 1024 --arg ZSK --arg 1

PowerDNS

Atomia has chosen to integrate with PowerDNS as name server software for DNSSEC.
PowerDNS will sign domain names dynamically and automatically make sure the signatures always are up-to-date.

Atomia Domain Registration

Atomia Domain Registration will know what key to publish to the TLD zone. The support for DNSSEC will be configured during installation but can also be configured manually afterwards with the following configuration:

hosted_dnssec_default = 1
hosted_dnssec_delegation_filter ns1.someprovider.com
hosted_dnssec_delegation_filter ns2.someprovider.com

To add DNSSEC support for a new TLD you simply need to turn the switch on:

supports_dnssec = 1

The bottomline is that once Atomia Cloud Hosting Platform is installed you have everything you need to start selling secure DNS services. Not all registrys/registrars have support for DNSSEC today, but it is just a matter of time. Today, there are 85 signed TLDs (out of 310) and the number is growing.

More about DNSSEC:
http://en.wikipedia.org/wiki/DNSSEC

Social

Follow us on Twitter

Like us on Facebook

Visit us on LinkedIn

We share the latest news about Atomia, event photos, and more.

Contact

[email protected]

+46 21 490 2620

Hamngränd 6,
721 30 Västerås,
Sweden

Work at Atomia

Would you like to join our quest to provide the ideal hosting platform? Be part of a fun, dedicated team and work with some of the coolest companies in the hosting industry. Check out our job page.