This story is from the category Services and the dossier Security and stability

DNSSEC ceremony: a step towards better security

Several experts from SWITCH and a representative from the Federal Office of Communications (OFCOM) recently generated the new DNSSEC signature keys. The annual key ceremony is an important part of making the Swiss internet more secure. Find out why.

Text: Séverine Jagmetti, published on 27.11.2017

The key ceremony doesn’t offer much in the way of over-the-top fanfare. Instead, it’s a businesslike gathering of SWITCH employees and a representative from OFCOM. The goal of the annual meeting is to generate new DNSSEC signature keys for .ch and .li domains.

The key signing key (KSK) is managed offline on a key management host (KMH). Zone signing keys (ZSK), which are signed for a limited period of time with the KSK, were also generated offline to operate the DNS. This means that the ZSKs are only valid for a limited time in the online system. This considerably reduces the risk of a key becoming compromised. SWITCH replaces the KSK annually and a ZSK monthly. All keys are generated for the following year on the occasion of the key ceremony.

Publishing data securely on the DNS

DNSSEC is considered an extension of the DNS system and makes the internet more secure (as ‘SEC’ suggests). DNSSEC is needed because the DNS protocol was originally developed without security, making it vulnerable to manipulation. DNSSEC guarantees the authenticity and the integrity of the data from DNS responses. Cryptographic signatures are used to ensure that any manipulation of DNS responses does not go unnoticed, guaranteeing that data can be published securely on the DNS.

 Virtually every transaction on the internet begins with a DNS request, whether it’s visiting a website, sending an email, instant messaging, or online banking. DNSSEC prevents connections from being redirected to a dubious server via fraudulent DNS responses. The technology is also the basis for other security mechanisms. For example, DANE makes it possible to send encrypted emails to the correct destination server without involving a third party (certificate authority). In combination with technologies such as Transport Layer Security (TLS), internet transactions are secured on multiple levels.

As a registry, SWITCH has been providing DNSSEC technology since 2010. At present, almost two percent of all .ch domain names are DNSSEC-signed. SWITCH has undertaken to convince as many internet users as possible of the benefits of DNSSEC and to motivate them to improve their internet security by using DNSSEC. To achieve this, the foundation is working actively with registrars, DNS hosting companies and internet service providers. Together, they are seeking ways to promote the widespread adoption of this technology.

SWITCH-CERT on all fronts 

To guarantee the best possible security for .ch domains, the professional operation of DNS (including the promotion of DNSSEC) is essential. SWITCH-CERT is made up of 15 security experts with different specialisations and offers a lot more in the realm of internet security: for instance, it combats malware, phishing and e-commerce crime. All its efforts aim to uphold the status of .ch as one of Europe’s most secure top level domains (TLD).

What do I need to do to use DNSSEC?

No action is required on your part as an internet user. If your internet provider supports DNSSEC, the signatures are always verified on the provider’s DNS servers.

If you are the domain owner and would like to protect your domain name with DNSSEC, you can select a registrar/hosting company who will sign your domain name with DNSSEC. Some .ch registrars let you do this with just a single click.

Further information

Other articles