メニュー

Topics: 2010

28 July 2010
Last Update: 22 October 2010

JPRS Plans to Implement DNSSEC in JP Domain Name Services in January 2011

Updated: 22 October 2010
On 18 October 2010, we started signing JP zone with DNSSEC.

Introduction

We, JPRS, have developed a plan to implement DNSSEC [*1], the technology that adds improved security to the Domain Name System. Currently, we are working on preparation for the deployment in JP domain name services on 16 January 2011. The purpose of this document is to present a background of the implementation and future actions.

*1 DNSSEC: DNS Security Extensions

Background

DNS is a vital mechanism which provides the core function of the Internet, and its operational stability is required in line with the growing importance of the Internet as part of the social infrastructure. In addition, under the circumstance where security threats caused by frauds of DNS responses have turned into reality, a strong demand for worry-free DNS which excludes these threats has grown in late years.

Aiming at improving DNS security, IETF [*2] advanced the consideration to establish the security extension of DNS called DNSSEC. DNSSEC adds signatures to DNS responses with the public key encryption scheme. This enables receivers of the DNS response to validate whether or not the response is correct and complete.

JPRS regards DNSSEC as the most effective and feasible current solution against the security threats caused by frauds of DNS responses. Based on this view, JPRS has researched and developed the method of implementing DNSSEC into large-scale zones, while discussing operational technology and roadmap toward diffusion through collaboration with DNS-related parties from home and abroad.

At present, we are conducting tests and reviews of specifications in order to implement DNSSEC, as well as performing technological evaluation with a wide range of DNS-related parties listed below.

In July 2010, ICANN [*3] introduced DNSSEC in DNS Root Servers, the highest stratum in the DNS. This contributes to the development of an environment promoting DNSSEC deployment among TLDs. Based on these circumstances, JPRS determined to implement DNSSEC in JP domain name services on 16 January 2011.

*2 IETF: Internet Engineering Task Force
*3 ICANN: Internet Corporation for Assigned Names and Numbers

Actions to be taken by related parties

DNSSEC is a mechanism to validate integrity and authenticity of DNS response, which is realized by supporting DNSSEC on both DNS providers' and users' side. Consequently, various DNS-related parties need to move ahead on their own plan to handle DNSSEC.

JPRS will continue to focus on deploying DNSSEC in JP DNS and JP domain name services provided by JPRS itself, while conducting promotional and educational activities and providing information to different DNS-related parties categorized as follows.

Operators of authoritative DNS server

As DNS forms a hierarchical structure stretched from the root, it is demanded that DNSSEC be introduced into all the layers of DNS from the highest layer of root DNS to DNS at the TLD level and DNS server for each domain name.

- Operators of the other TLD registries
Use of DNS does not close within the national borders or respective TLDs. With a view to contributing to spread of DNSSEC over the whole Internet and enhancing DNS security, JPRS will further pursue information exchange among the TLD registries.
- DNS server operators for each JP domain name
DNSSEC requires specific procedures including signing DNS information and registering signing key information in DNS server for each domain name.  Targeting the operators of each JP domain names, JPRS will keep on providing information on DNSSEC operation through seminars and the media.
Operators of cache DNS server

Validation of DNS responses in DNSSEC is done by cache DNS servers administered in ISPs, universities and companies. JPRS will carry on building deeper cooperation with domestic ISPs and developing activities such as providing information on DNSSEC operation through seminars and the media.

JP Registrars

To enable JP domain name registrants to use DNSSEC service provided by JPRS, it is required that the services of JP Registrars support DNSSEC. JPRS is going to cooperate with JP Registrars to promote the arrangement of DNSSEC service environment.

Internet users

Internet users are not required to take any special action, as the necessary validation on the users' side is done in the cache DNS servers of their providers such as ISPs. However, it is important for the users to be aware of DNSSEC and whether he/she is in the environment supporting DNSSEC or not. To help ensure this circumstance, JPRS is going to provide explanatory information on DNSSEC for the users.

As mentioned above, we will continue to promote actions by various related parties toward dissemination of DNSSEC, with an eye to implementing DNSSEC into JP domain name services in January 2011.

Future plan

Oct. 2010      Start signing JP zone with DNSSEC (Completed on 18 Oct. 2010)
16 Jan. 2011  Introduction of DNSSEC in JP domain name services
(Registration of signing key starts, and DNSSEC service will be provided in JP DNS)

Revision history

28 July 2010 First published.
22 October 2010 We started signing JP zone with DNSSEC on 17 October 2010, and we decided to implement DNSSEC into JP domain name services on 16 January 2011.

PAGE TOP