Sign Your DNS Zones [Archived]

By Jennifer Bly

By Pete Toscano, Network Operations Manager, ARIN

Last month we signed ARIN’s forward DNS zone as part of our commitment to Domain Name System Security (DNSSEC).  That means we completed the process that essentially allows resolvers to verify the arin.net information that they receive from ARIN’s nameservers, and it allows users to have a higher degree of confidence that when they go to https://www.arin.net or act on any other information under arin.net that they are communicating with the host they expect.

We went through the process of signing ARIN’s forward DNS zones to do our part to contribute to a valuable and trustworthy Internet.  The process can be complex, but it’s worth it.

Why is signing your DNS important?

Every time you type in a web address (with letters) it corresponds to a set of numbers.  That is one use of the Domain Name System, or DNS for short.  Think of DNS as an inverted tree with many branches.  The root zone is at the top and out from it comes other zones through which a chain of authority flows. DNSSEC adds another layer of security to this tree by allowing users to validate that the DNS records come from the correct source.

DNSSEC makes the name tree more reliable for the whole Internet.  Not only can resolvers validate the data they’re getting from nameservers with signed DNS zones, but users can have a higher degree of confidence that when they go to a web site under a signed domain they’re actually on the correct web site and not some imposter’s phishing site.  Basically, DNSSEC validates that you received information from the source and not from a third party who could change the information in a malicious way.

Implementation Considerations

Make sure your domain name registrar supports DNSSEC.  In ARIN’s case, we needed to go through the process of changing registrars so we could employ this important functionality.  Changing registrars can be a slow process, so be sure to include that in your timeline.  If you want to find a registrar that supports DNSSEC, check out this [list of registrars compiled by ICANN that are DNSSEC friendly.](https://www.icann.org/resources/pages/deployment-2012-02-25-en)

Depending on how you manage DNS now, your workflow process may need to be reengineered to some degree, especially when it comes to reporting DS record changes or additions to your registrar.  This can be done manually, but you may want to consider automated signing solutions.  There are both software and hardware-based options.  Larger installations may want to consider a hardware solution for the DNS signing, but it comes down to your budget and tolerance for added complexity. ISOC’s Deploy 360 has more information on deploying DNSSEC.  Once you are setup, you can use tools like Sandia National Laboratories’ DNSviz and Versign Labs’ DNSSEC debugger to ensure you have DNSSEC setup correctly.

We’re doing our part to make the Internet more secure, and you should too! We encourage all members of the Internet community to implement DNSSEC for their own forward and reverse zones to help secure the Domain Name System as the Internet continues to grow and evolve.