For many years, our association has been running a service going by the acronym “ODVR” – Open DNSSEC Validating Resolvers. At times when DNSSEC was just beginning, we thought it was necessary to come up with an alternative to DNS resolvers provided by ISPs who introduced the validation support too slowly. Since then, we have offered a publicly available service that allows validation of domains using DNSSEC security even in those networks whose default DNS resolvers do not support this.
It has been almost half a year since we presented the intention to change the DNSSEC algorithm for .cz zone DNSSEC key at our IT 16.2 conference. In his presentation, our colleague Zdeněk Brůna described in detail the advantages of algorithms based on elliptic curves, especially the ECDSA algorithm. However, due to the situation where this step cannot be done because of the lack of support for this algorithm in the root zone, our activities have shifted to mainly educate and monitor the impact of this education on the state of support for this new technology. At a seminar with registrars that we held at the end of February, we noticed a positive response to some ECDSA properties, such as smaller zone file size or smaller DNS response size. Some registrars have already declared interest in switching to ECDSA. At the same time, the registrars have suggested that we publish statistics on our site showing how different DNSSEC algorithms are used in the .cz zone. We liked this idea and we are now publishing these statistics.
In mid-February we informed about Reducing TTL in the .cz zone by one hour. Then, at a similar hour every Wednesday, we reduced it by another hour, until on March 15, 2017 we reached the required value of 1 hour (i.e. TTL=3600).
The golden rule of security, stability, and resiliency of virtually anything is “don’t put all your eggs into one basket”. This generally applies to the DNS, and there are some recommendations to avoid having all your nameservers in one domain. I would like to show that in this case, this is not a silver bullet, it depends on many conditions, and using different domains in your nameserver set might even make things not better, but worse.
A couple of weeks ago, I got an email informing me that it had been almost three years since my entry into the Turris project, and I could now purchase the router for a symbolic price of one crown. I did that right away to test for my colleagues whether the system works well; however, it also brought back nostalgic memories. Because three years ago I had the same goal – to test whether everything was working properly – when I filled what was probably the first router lease contract. Those three years have gone by in a flash, so it is perhaps a good time to stop and look back.
It was the first time CZ.NIC has participated at such a big fair and the decision was last moment one. We wanted to find partners and introduce the router to public. Turris Omnia is on the market for several months but seems to interest only linux geeks. Therefore it was a pleasant surprise that the public at CeBit really liked it.
DNS records contain a lot of important data, including the information on how quickly such data becomes obsolete, the so-called TTL (Time To Live). TTL in the DNS indicates for how long the data can be stored on a recursive nameserver (resolver) without it being retrieved from an authoritative nameserver. The lower the TTL, the more frequently resolvers query authoritative nameservers and obtain the most recent data. At the same time, however, a short TTL causes heavier load on nameservers, and if DNS records do not change often, the TTL is usually set to several hours.
One of the important features of the mojeID service launched by CZ.NIC seven years ago is its integration with the domain registration system. Multi-step verification of the provided data serves as a method of increasing the accuracy of contact details in the .CZ domain registry. As a bonus, the contacts verified this way can use the mechanism of a single sign-on using authentication protocols on websites that offer such an option. As might be expected, among such websites there are also portals of some of our registrars, two of which have lately even ranked among the 10 services with highest login count. The concept of linking a domain registry to a digital identity (eID) has long been the subject of many questions from foreign domain registries and numerous presentations at international conferences. Now it seems that other foreign registries decided to implement this concept.
The ongoing first nationwide competition in cyber security attracted not only students of technical fields, but also many gymnasium students. The first round of the competition was attended by 1,067 participants from 162 schools of various specialization from across the country. The only restriction was the age (15-18 years), in order that the most successful competitors be qualified for the European Cyber Security Challenge. Most students came from the Prague, South Moravia, Pardubice and Vysočina regions.
Near the end of the old year, a juicy discussion broke out in the “main” IETF mailing list. Although it was ignited by a bizarre proposal of IP version 10, in reality it reflects a general frustration caused by the sluggish pace of IPv6 deployment. John Klensin, one of Internet’s grandfathers, expressed a surprisingly sceptical and self-critical opinion. He means that IPv6 proponents gradually lose on credibility: “[We] spent many years trying to tell people that IPv6 was completely ready, that all transition issues had been sorted out and that deployment would be easy and painless. When those stories became ever more clearly false, we then fell back on claims or threats that failure to deploy IPv6 before assorted events occurred would cause some evil demon to rise up [and] devour them and their networks. Most of those events have now occurred without demonstrable bad effects; …”