DNSSEC signing your domain with BIND 9.16

Update December 2022: added “inline-signing yes;” to the zone statement as BIND 9.16.33, 9.18.7 and newer requires an explicit statement for zones without a configured ‘allow-update’ or ‘update-policy’ (see KB). BIND 9.16 has improved DNSSEC support to the point where it can (finally) be called simple to use. This is excellent news for DNS administrators … Continue reading “DNSSEC signing your domain with BIND 9.16”

100’000 .ch domain names are secured with DNSSEC!

Imagine you want to visit your online banking website «www.example-bank.ch». Now, instead of getting the correct IP address your computer gets manipulated information and connects you to a website that is owned by a criminal. You wouldn’t notice but disclose your online banking credentials to the attacker. Luckily, DNSSEC is here to help. The extension … Continue reading “100’000 .ch domain names are secured with DNSSEC!”

DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System

Attacks on the DNS System Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This … Continue reading “DNSSEC Usage in Switzerland is on the rise after widespread attacks on the Domain Name System”

Additional DNSSEC Training with PowerDNS on May 7 and 8

We announced 3 one day DNS trainings in the end of February and all three trainings where fully booked within 24 hours. We are happy to see so much demand for DNSSEC in Switzerland. We managed to add two more dates for the DNSSEC training together with PowerDNS The training will be given at the … Continue reading “Additional DNSSEC Training with PowerDNS on May 7 and 8”

DNSSEC training with PowerDNS in Switzerland

SWITCH is organising a one day DNSSEC training together with PowerDNS The training will be given at the following dates: 9.4. Zurich, SWITCH 10.4. Bern, Uni 11.4. Carouge HESGE The one day training will give you an introduction into DNSSEC and show you how to sign DNS zones on an autoritative DNS server. We will … Continue reading “DNSSEC training with PowerDNS in Switzerland”

11th October 2017, DNSSEC key rollover of the root zone, be ready the key is here!

On the 27th September, ICANN announced the postponement for the KSK rollover. More information can be found here. written by Yves Bovard No, this is not a kind of secret message nor a new ice-cream. On 11th October 2017 the root zone will be signed with a new key. Ladies and gentlemen, update your DNS … Continue reading “11th October 2017, DNSSEC key rollover of the root zone, be ready the key is here!”

DNSSEC Signing for .ch and .li on the Rise

The share of DNSSEC signed domain names in .ch and .li reached 1% for the first time in June 2017. While this is still a very low number compared to other ccTLDs, the number of DNSSEC signed domain names is increasing at a high rate for the last two quarters. DNSSEC The Domain Name System … Continue reading “DNSSEC Signing for .ch and .li on the Rise”

DNSSEC signing your domain with BIND inline signing

Update Dez 2020: We made an update for users with BIND 9.16. Update Nov 2017: DNSSEC zone signing as described here is outdated. We strongly recommend against the method described in this blog post. Newer BIND versions or other DNS software have greatly simplified DNSSEC signing. With BIND 9.9, ISC introduced a new inline signing … Continue reading “DNSSEC signing your domain with BIND inline signing”

Taking Advantage of DNSSEC

According to measurements by APNIC’s Geoff Huston currently 16 percent of Swiss Internet users use a DNSSEC validating DNS resolver. If you want to benefit from the added security with DNSSEC in your network then I suggest you enable DNSSEC validation in your network as well. SurfNet published a deployment guide recently that takes BIND … Continue reading “Taking Advantage of DNSSEC”


SWITCH is regularly assessing parts of the registry infrastructure in technical audits. The goal of these audits is to find operational or software vulnerabilities before attackers do. For 2013 we wanted to audit the DNS/DNSSEC related aspects of the registry and DNS name server service operation. The introduction of DNSSEC for the ch. and li. … Continue reading “SWITCH DNS/DNSSEC Audit”

DNSSEC Deployment in .CH

It has now been three years since SWITCH officially signed the .CH and .LI ccTLDs. Since then adoption of DNSSEC for the .CH domains has been very slow. During the last few weeks we have seen a small increase, but noticeable, including one registrar (OVH.de); who have started to sign a few hundert domain names. … Continue reading “DNSSEC Deployment in .CH”

DNSSEC Signierungs-Algorithmus wechseln

Eine DNS-Zone zu signieren ist mit heutiger Software nicht mehr schwierig oder kompliziert. Die Schwierigkeiten im Betrieb von signierten Zonen sind selten angewendete Prozeduren, wofür teilweise noch die Software-Unterstützung fehlt, sei dies in der Signierungssoftware oder in Monitoring- und Debugging-Tools. Eine solche selten angewendete Prozedur ist der Wechsel des DNSSEC Signierungs-Algorithmus. Als SWITCH die DNSSEC-Signierung … Continue reading “DNSSEC Signierungs-Algorithmus wechseln”

DNSSEC – Einführung zu DNS Security Extensions

Das Domain Name System (DNS) ist ein wichtiger Bestandteil des Internets. Aus Endbenutzersicht erscheint das Internet oft zusammengebrochen, wenn die Namensauflösung nicht funktioniert. In den letzten Jahren wurden Schwachstellen im Protokoll aufgedeckt, welche es erlauben, DNS-Antworten für einen DNS-Resolver zu manipulieren. Um die Vertrauenswürdigkeit der Daten sicherzustellen, wurde die Erweiterung DNSSEC entwickelt. Was ist DNSSEC? … Continue reading “DNSSEC – Einführung zu DNS Security Extensions”

The .ch zone file will be published as open data

The Swiss Federal council adopted the lower laws to the telecommunicaiton act today. Amongst it is the Ordinance on Internet Domains that also regulates the ccTLD .ch. SWITCH-CERT welcomes the new ordinance and the smart regulation by the Federal Office of Communications (OFCOM). The Ordinance on Internet Domains will come to power on 1.1.2021 and … Continue reading “The .ch zone file will be published as open data”

Growing support for open security standards in Switzerland

Open security standards are essential for a secure and resilient Internet in Switzerland and protect the privacy of Swiss Internet users. The adoption rate for Internet security standards like DNSSEC, DANE and DMARC in Switzerland is still low compared to the leading countries in Europe, but there is more and more support from the Internet … Continue reading “Growing support for open security standards in Switzerland”