Several experts from SWITCH and a representative from the Federal Office of Communications (OFCOM) recently generated the new DNSSEC signature keys. The annual key ceremony is an important part of making the Swiss internet more secure. Find out why.
The key ceremony doesn’t offer much in the way of over-the-top fanfare. Instead, it’s a businesslike gathering of SWITCH employees and a representative from OFCOM. The goal of the annual meeting is to generate new DNSSEC signature keys for .ch and .li domains.
The key signing key (KSK) is managed offline on a key management host (KMH). Zone signing keys (ZSK), which are signed for a limited period of time with the KSK, were also generated offline to operate the DNS. This means that the ZSKs are only valid for a limited time in the online system. This considerably reduces the risk of a key becoming compromised. SWITCH replaces the KSK annually and a ZSK monthly. All keys are generated for the following year on the occasion of the key ceremony.
DNSSEC is considered an extension of the DNS system and makes the internet more secure (as ‘SEC’ suggests). DNSSEC is needed because the DNS protocol was originally developed without security, making it vulnerable to manipulation. DNSSEC guarantees the authenticity and the integrity of the data from DNS responses. Cryptographic signatures are used to ensure that any manipulation of DNS responses does not go unnoticed, guaranteeing that data can be published securely on the DNS.
Virtually every transaction on the internet begins with a DNS request, whether it’s visiting a website, sending an email, instant messaging, or online banking. DNSSEC prevents connections from being redirected to a dubious server via fraudulent DNS responses. The technology is also the basis for other security mechanisms. For example, DANE makes it possible to send encrypted emails to the correct destination server without involving a third party (certificate authority). In combination with technologies such as Transport Layer Security (TLS), internet transactions are secured on multiple levels.
As a registry, SWITCH has been providing DNSSEC technology since 2010. At present, almost two percent of all .ch domain names are DNSSEC-signed. SWITCH has undertaken to convince as many internet users as possible of the benefits of DNSSEC and to motivate them to improve their internet security by using DNSSEC. To achieve this, the foundation is working actively with registrars, DNS hosting companies and internet service providers. Together, they are seeking ways to promote the widespread adoption of this technology.
To guarantee the best possible security for .ch domains, the professional operation of DNS (including the promotion of DNSSEC) is essential. SWITCH-CERT is made up of 15 security experts with different specialisations and offers a lot more in the realm of internet security: for instance, it combats malware, phishing and e-commerce crime. All its efforts aim to uphold the status of .ch as one of Europe’s most secure top level domains (TLD).