Start deployment DNSSEC on Dutch ENUM zone
First step towards enhanced internet security in the Netherlands
Arnhem, 6 July 2009 - SIDN, the registry for .nl and ENUM NL, has today signed its ENUM zone using DNSSEC (Domain Name System Security Extensions). In due course, SIDN intends to deploy DNSSEC on the .nl zone as well. The decision to implement DNSSEC is motivated by SIDN's commitment to maximising the reliability of its zones. DNSSEC will be deployed on the .nl zone later, after operational experience on the ENUM zone has been acquired. Various operational issues also need to be resolved ahead of implementation, and SIDN is working with a number of other registries to find solutions.
DNSSEC
The existing DNS protocol has a number of vulnerabilities - to man-in-the-middle attacks and cache poisoning, for example. General DNSSEC implementation is both the most complex and the most secure way of resolving these vulnerabilities. However, DNSSEC cannot prevent phishing or typo-squatting. Deploying DNSSEC on a zone (tier 1) is significantly less effective than the signing of domain names in that zone using DNSSEC (tier 2). Unfortunately, the signing of domain names implies input from - and therefore additional costs for - registrars, ISPs involved in DNS resolving, name server service providers and registrants.
SIDN's CEO Roelof Meijer commented: ‘We are very pleased with this first step towards the successful deployment of DNSSEC for the ENUM zone. With nearly 3.5 million .nl domain names, the .nl zone is much bigger than the Dutch ENUM zone currently is, and much more important. As a result, the implementation of DNSSEC for the .nl zone is no sinecure: a zone's operational complexity is closely related to its size and the number of different parties involved. So we feel it's extremely important that certain operational issues are resolved and that the DNSSEC processes are largely automated before we go ahead. Naturally, we are doing what we can to make that happen - through the IETF and ICANN, for example. In the meantime, we are gaining experience by implementing DNSSEC for ENUM - experience that should stand us in good stead when DNSSEC is deployed on the .nl zone.'
More information on DNSSEC: http://www.enisa.Europe.eu/sta/files/resilience_features.pdf and
http://www.surfnet.nl/nl/nieuws/pers/Pages/whitepaperDNSSEC.aspx.
More information on DNSSEC status for 1.3.e164.arpa.