メニュー

Topics: 2009

The content of this page is obsolete. For the updated announcement,
please refer to http://jprs.co.jp/en/topics/2010/100728.html.

9 July 2009

JPRS Plans to Implement DNSSEC in JP Domain Name Services

Introduction

We, JPRS, are developing a plan to implement DNSSEC [*1], the technology that adds improved security to the Domain Name System, in JP domain name services by the end of 2010. The purpose of this document is to present a background of the implementation and future actions.

*1 DNSSEC: DNS Security Extensions


Background

DNS is a vital mechanism which provides the core function of the Internet, and its operational stability is required in line with the growing importance of the Internet as part of the social infrastructure. In addition, under the circumstance where security threats caused by frauds of DNS responses have turned into reality, a strong demand for worry-free DNS which excludes these threats has grown in late years.

Aiming at improving DNS security, IETF [*2] advanced the consideration to establish the security extension of DNS called DNSSEC. DNSSEC adds signatures to DNS responses with the public key encryption scheme. This enables receivers of the DNS response to validate whether or not the response is correct and complete.

JPRS regards DNSSEC as the most effective and feasible current solution against the security threats caused by frauds of DNS responses. Based on this view, JPRS has researched and developed the method of implementing DNSSEC into large-scale zones, while discussing operational technology and roadmap toward diffusion through collaboration with DNS-related parties from home and abroad. From now on, we are going to conduct tests and reviews of specifications in order to implement DNSSEC into JP domain name services.

*2 IETF: Internet Engineering Task Force


Actions to be taken by related parties

DNSSEC is a mechanism to validate integrity and authenticity of DNS response, which is realized by supporting DNSSEC on both DNS providers' and users' side. Consequently, various DNS-related parties need to move ahead on their own plan to handle DNSSEC.

JPRS is going to deploy DNSSEC in JP DNS and JP domain name services provided by JPRS itself, while conducting promotional and educational activities and providing information to different DNS-related parties categorized as follows.

Operators of authoritative DNS server

As DNS forms a hierarchical structure stretched from the root, it is demanded that DNSSEC be introduced into all the layers of DNS from the highest layer of root DNS to DNS at the TLD level and DNS server for each domain name.

- Operators of root DNS

To ensure smooth operation of DNSSEC, it is essential to introduce DNSSEC into root DNS which is the highest layer in the DNS structure. ICANN [*3]/IANA [*4] is moving ahead the discussion toward adopting DNSSEC. Taking the discussion into consideration, JPRS continues to support early adoption of DNSSEC at the root level, by cooperating with the other TLD registries.
*3 ICANN: Internet Corporation for Assigned Names and Numbers
*4 IANA: Internet Assigned Numbers Authority

- Operators of the other TLD registries

Use of DNS does not close within the national borders or respective TLDs. With a view to contributing to spread of DNSSEC over the whole Internet and enhancing DNS security, JPRS is going to play an active part in information exchange among the TLD registries.

- DNS server operators for each JP domain name

DNSSEC requires specific procedures including signing DNS information and registering signing key information in DNS server for each domain name.  Targeting the operators of each JP domain names, JPRS will provide information on DNSSEC operation through seminars and media.

Operators of cache DNS server

Validation of DNS responses in DNSSEC is done by cache DNS servers administered in ISPs, universities and companies. JPRS will build deeper cooperation with domestic ISPs and will develop activities such as providing information on DNSSEC operation through seminars and media.

JP domain name registrars

To enable JP domain name registrants to use DNSSEC service provided by JPRS, it is required that the services of JP domain name registrars support DNSSEC. JPRS is going to cooperate with registrars to promote the arrangement of DNSSEC service environment.

Internet users

Internet users are not required to take any special action, as the necessary validation on the users' side is done in the cache DNS servers of their providers such as ISPs. However, it is important for the users to be aware of DNSSEC and whether he/she is in the environment supporting DNSSEC or not. To help ensure this circumstance, JPRS is going to provide explanatory information on DNSSEC for the users.

As mentioned above, we will continue to promote actions by various related parties toward dissemination of DNSSEC, with an eye to implement DNSSEC into JP domain name services by the end of 2010.

PAGE TOP