SWITCH is regularly assessing parts of the registry infrastructure in technical audits. The goal of these audits is to find operational or software vulnerabilities before attackers do. For 2013 we wanted to audit the DNS/DNSSEC related aspects of the registry and DNS name server service operation. The introduction of DNSSEC for the ch. and li. zones in early 2010 brought a lot of changes to our DNS management software, the registry application and to the registrar interface. Naturally, most changes occurred in the DNS management software, which is responsible for properly signing the zones and rolling the keys.
In 2009, when we started the DNSSEC project internally, mature support for DNSSEC was close to inexistent, so we ended up writing our own scripts and tools around ISC BIND. In the mean time BIND added support for inline-signing and OpenDNSSEC matured a lot, just to name a few examples. If you are on the verge of signing your zone, I suggest you look at already existing solutions first. I don’t think that today there is still a need to develop your own script and tools. However, ours have been in production since then. So we felt, it was high time to get an independent view on our implementation.
We were pleased that NLnet Labs, a not-for-profit Research and Development foundation based in the Netherlands agreed on doing the assessment. NLnet Labs has in-depth expertise on protocol, operation, architecture, and implementation of the DNS in general and DNSSEC specifically. NLnet Labs developed a DNSSEC Infrastructure Audit Framework that can be used to conduct a review or audit of the DNSSEC related aspects of a registry and authoritative DNS name server service operation. SWITCH was basically collaborating with NLnet Labs for the trial audit and so helped and improved the audit framework, which is publicly available under a creative commons license. I recommend interested readers to have a brief look at the document (PDF) to get an idea of the scope and may be verify a few controls in their own environment.
The audit did not produce any big surprises, but a few minor issues were found, that need to be addressed in due time. Given that DNSSEC validation is still rare in Switzerland (current measurements by Geoff Huston estimate about 5% of the Internet users in Switzerland use a validating resolver) our operational model fits the bill. However, as DNSSEC becomes more prevalent some improvements can be made.
Techies usually don’t like audits, too much paper work etc. But in retrospect going through this assessment was well worth the effort. Discussing our set up with the top experts from NLnet Labs was enlightening and exciting. It showed that we are on the right track and identified a few weak points, which we will address.
DNSSEC is a lot about trust and transparency. Hopefully this post will strengthen the trust in the .ch/.li DNSSEC implementation, and encourage more domain owners and cache operators to invest into it.