.nl signed, our clock is now ticking ;-)

Written by Roland van Rijswijk in category: General

SIDN – the registry for the .nl domain – announced today that the .nl domain has been signed successfully. We are of course very happy with this because this means that at some point in the near future we can submit a DS for our domains under the friends and fans programme that SIDN has […]

No Comments

Cryptographic sanity: NSEC3 parameters

Written by Rick van Rein in category: Crypto, Security

One of the factors that delayed the adoption of DNSSEC has been the privacy of the information stored in it. This is a topic of debate, as DNS has always been designed as a public database, but the Internet of today cannot be reigned from purely technical motivations. The problem is with securely denying a […]


How many keys #2

Written by Roland van Rijswijk in category: Architecture, Crypto, Technical

For a paper I’m writing on state-of-the-art cryptography and applications of cryptography I’ve drawn a picture of the complete trust chain required to validate the answer to a query for www.surfdnssec.org (which is in one of our test domains and is a CNAME pointing to this blog). It really drives home how complex DNSSEC can […]


Reloading signed zones into BIND

Written by Rick van Rein in category: Procedures, Resilience, Technical, Timing

Our signer publishes signed zones through BIND. We found that updates to BIND can get lost if their succession is too quick; and we solved it.

No Comments

Cryptographic sanity: Key sizes

Written by Rick van Rein in category: Crypto, Timing

In our architecture, we consider three levels of users: End users who understand DNS at a conceptual level Operators who understand DNS at an operational level Security officers who are mindful about the cryptographic intricacies of DNSSEC After initial setup has been done, a security officer only needs to oversee the secure operation of the […]

No Comments

Red-Hatted Trouble… IPv6 and BIND 9.7 on RHEL 5.x

Written by Roland van Rijswijk in category: Technical

We prefer to run our infrastructure on open platforms. For our DNS infrastructure we have chosen to run it on top of Red Hat Enterprise Linux version 5.x. Since we have deployed DNSSEC, we have run into a number of problems, and to save you the trouble of having to run into and solve these […]


Cryptographic sanity: How many keys?

Written by Rick van Rein in category: Crypto, Resilience, Security

In our architecture, we opt for Hardware Security Modules (or HSMs) as secure key stores. This helps us with high-availability of key material, and thus of our signed domains, but it also poses us with some limitations. An HSM generally has a limited number of keys that it can store. Had we opted for a […]