RIPE NCC Brings DNS Security Extensions to Europe to Make the Internet Safer for Users
15 July 2010 - The RIPE NCC, the not-for-profit organisation that supports the infrastructure of the Internet, announces today that the Internet has reached an important milestone with the publication of the root zone key. This key enables the widespread deployment of the Domain Name Server Security Extensions (DNSSEC) protocol, which the RIPE NCC has been supporting for almost two decades. DNSSEC allows Internet users to type a website address and be confident that the website being displayed is coming from an authorised server. The global deployment of DNSSEC is a vital step in increasing Internet security and the RIPE NCC is proud to have played a leading role in its development.
What is DNSSEC?
The Domain Name System (DNS), while being an integral part of the backbone of the Internet, does not have inherent security features. This could expose Internet users to attacks by allowing hackers to redirect users to fake website addresses. So, when users type in the name of a legitimate website, they are taken to a fraudulent one instead, putting them at risk of phishing and other scams. DNSSEC uses digital signatures to assure name servers that the DNS data they receive has not been intercepted or tampered with, increasing Internet safety for all. It is virtually invisible to end-users and does not impact the speed at which a website loads.
The signing of the root zone marks the culmination of almost two decades of work by the global Internet community and the RIPE NCC. The organisation has led the DNSSEC project in Europe, driving the protocol development forward since the early 1990s amongst the global Internet community and supporting the development of standards for DNSSEC technology. It has also offered technical and policy advice to the Internet Corporation for Assigned Names and Numbers (ICANN) as well as ARIN and APNIC, the Regional Internet Registries for North America and the Asia Pacific, to ensure that DNSSEC can be deployed as efficiently as possible and without disruption to Internet users. Additionally, the RIPE NCC has raised awareness of DNSSEC among Internet Service Providers (ISPs), and offered training and support for early adopters of the technology.
All of the world's 13 root name servers, including K-root which is operated by the RIPE NCC, have gradually switched to a signed root since January this year in preparation for today's global roll-out.
Daniel Karrenberg, Chief Scientist of the RIPE NCC, says: "Trust and identity are key areas in need of improvement for the Internet to sustain its impressive rate of innovation and growth of the last 20 years. DNSSEC helps ensure that users can trust that they are indeed communicating with whom they intend to - that the website they are entering their banking transactions on is operated by their bank, and that their e-mail reaches the intended recipient and no one else.
"It is crucial that institutions forming part of the Internet community, such as the RIPE NCC, collaborate globally in the long-term to protect the sustainable growth of the Internet."
Some top-level domains (TLDs) already use DNSSEC (.uk, .org, .bg, .ch, .cz, .li and .se), and many more TLDs (.us and .biz) are currently working on signing their zone. As more domains are secured, the Internet becomes more reliable and stable, benefitting end-users.
Rob Blokzijl, RIPE Chair, says: "The RIPE community has been an ardent supporter of DNSSEC for many years, urging ICANN to sign the root zone. Now both ISPs and the domain name industry can move on to full deployment of DNSSEC, taking another step in our effort to make the Internet a safer place for all."
For Internet users to benefit from DNSSEC, a router upgrade may be necessary. Some routers may not be able to handle the larger packet sizes generated by DNSSEC because legacy networking equipment does not accept DNS responses that are over 512 bytes in size or split into several packets.
To help ISPs check that their resolvers are able to cope with the larger packet sizes introduced by DNSSEC, the RIPE NCC has developed a free, easy-to-use reply size tester tool that can be downloaded here. There are also browser add-ons that show end-users if DNSSEC is being used when they access a website.
Many of the world's largest TLDs and root name servers use Name Server Daemon (NSD), a high performance DNS name server implementation designed by NLNet Labs, an Internet technology research and development group, and supported by the RIPE NCC. NSD improves the performance of the DNS and helps make it more resilient to failures.
About the RIPE NCC
Founded in 1992, the RIPE NCC is an independent, not-for-profit membership organisation that supports the infrastructure of the Internet. The most prominent activity of the RIPE NCC is to act as a Regional Internet Registry (RIR) providing global Internet resources and related services to a current membership base of around 6,800 members in over 75 countries.
These members consist mainly of Internet Service Providers (ISPs), telecommunication organisations and large corporations located in Europe, the Middle East and parts of Central Asia.
As one of the world's five RIRs, the RIPE NCC performs a range of critical functions including:
- The reliable and stable allocation of Internet number resources (IPv4, IPv6 and AS Number resources)
- The responsible storage and maintenance of this registration data
- The provision of an open, publicly accessible database where this data can be accessed
The RIPE NCC also provides a range of technical and coordination services for the Internet community. These services include the operation of K-root (one of the 13 root name servers), the Deployment of Internet Security Infrastructure (DISI) and DNS Monitoring (DNSMON). As a result of its established position in the Internet industry, the RIPE NCC has played an important role in the World Summit on the Information Society (WSIS), the Internet Governance Forum (IGF), European Union (EU) workshops and government briefings on key issues in the current Internet landscape.
For media enquiries please contact:
Lucie Smith/ Kersti Klami at Racepoint Group UK
Tel: +44 2088 112 474
Email: ripencc _at_ racepointgroup _dot_ com