When a domain owner decides to have their zone secured with DNSSEC, adding validation keys and signatures to the zone are only half the story. To allow resolvers to start validating signatures, it is also necessary to link at least one of the domain’s validation keys (DNSKEY records) to the global DNSSEC chain of trust.
What has the new version of FRED brought and has yet to bring?
At the beginning of December 2023, we released a new version of FRED, the domain management system we developed for the operation of the Czech national domain, .CZ. and serving the same purpose in ten other countries. It is used to manage the domains of Argentina (.AR), Bosnia and Herzegovina (.BA), Costa Rica (.CR), Albania (.AL), North Macedonia (.MK), Tanzania (.TZ), Angola (.IT.AO and .CO.AO), Malawi (.MW), Lesotho (.LS) and Macau (.MO). The new version of FRED is pieced together from a multitude of incremental changes developed over the last 12+ months, which, with a few exceptions, we have continuously deployed into production in our country. A number of the modifications were interdependent in a significant way, so it was not possible to publish minor updates of the system because it would have been difficult for foreign registries to switch to them. FRED 2.48 is recommended as the version to upgrade to.
ID4me – single sign-on and domains the German way
On August 14, over 50 representatives of internet organizations met at the headquarters of DENIC, the German top-level domain registry, to attend the first ID4me summit. ID4me is the current name of the project, which was started last year under the name DomainID — I mentioned it briefly in my presentation at our last year’s conference IT 17.2. It was initiated by the .DE domain administrator, together with the major German registrar 1&1, and Open-Xchange, the operator of online collaboration tools. However, there are many other companies that are willing to support it, including the UK domain registry Nominet. The goals set by the project are quite familiar to us — reducing the number of passwords and registrations that people need while using the Internet. Like CZ.NIC with its mojeID project, the authors of ID4me have come to the conclusion that the domain world is just the place for an attempt to achieve these goals.
Together for better stability, speed and further extensibility of the DNS ecosystem
Over past years, various DNS software developers tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension (RFC 6891 standard), by temporary workarounds, which aimed to lend their software an ability to temporarily accept various non-standard behaviors. Unfortunately, time has shown that this attitude of adding temporary workarounds is not a long-term solution, especially because the implementations not fully complying with standards were seemingly functional and there was no reason for a permanent fix. The result of these makeshift solutions is their accumulation in the DNS software, leading to a situation where there are so many of them that they themselves begin to cause problems. The most obvious problem is slower response to DNS queries and the impossibility to deploy new DNS protocol feature called DNS Cookies, which would help reduce DDoS attacks based on DNS protocol abuse.
Almost 4 million new gTLDs disappeared in 2017
Last year was not a good year for new generic domain names (new gTLDs). While a number of domain names became available for registration, the total number of new domain names decreased for the first time in its history. While there were 27,710,468 domain names registered at the beginning of the year 2018, only 23,823,948 saw the end of the year. Domain holders in the Czech Republic had a total of 23,245 new gTLDs registered, i.e. less than 0.1 %.
New Version of FRED, Testing Was Its Foundational
On the 15th of November, following the prior maintenance notification, our system administrators have successfully installed a new version of FRED, the system that is the basis of the .cz domain name registry (as well as national domain name registries in a dozen of other countries). What does that actually mean though?
Let’s make DNS great again!
I hope former US President Ronald Reagan would forgive me for borrowing and altering the slogan of his presidential campaign. After all, quite a few people seem to be doing it these days.
New statistics and increase in popularity of elliptic curves in DNSSEC
It has been almost half a year since we presented the intention to change the DNSSEC algorithm for .cz zone DNSSEC key at our IT 16.2 conference. In his presentation, our colleague Zdeněk Brůna described in detail the advantages of algorithms based on elliptic curves, especially the ECDSA algorithm. However, due to the situation where this step cannot be done because of the lack of support for this algorithm in the root zone, our activities have shifted to mainly educate and monitor the impact of this education on the state of support for this new technology. At a seminar with registrars that we held at the end of February, we noticed a positive response to some ECDSA properties, such as smaller zone file size or smaller DNS response size. Some registrars have already declared interest in switching to ECDSA. At the same time, the registrars have suggested that we publish statistics on our site showing how different DNSSEC algorithms are used in the .cz zone. We liked this idea and we are now publishing these statistics.
Reducing TTL in the .cz zone
DNS records contain a lot of important data, including the information on how quickly such data becomes obsolete, the so-called TTL (Time To Live). TTL in the DNS indicates for how long the data can be stored on a recursive nameserver (resolver) without it being retrieved from an authoritative nameserver. The lower the TTL, the more frequently resolvers query authoritative nameservers and obtain the most recent data. At the same time, however, a short TTL causes heavier load on nameservers, and if DNS records do not change often, the TTL is usually set to several hours.
The mojeID service as an inspiration for other European domain registries
One of the important features of the mojeID service launched by CZ.NIC seven years ago is its integration with the domain registration system. Multi-step verification of the provided data serves as a method of increasing the accuracy of contact details in the .CZ domain registry. As a bonus, the contacts verified this way can use the mechanism of a single sign-on using authentication protocols on websites that offer such an option. As might be expected, among such websites there are also portals of some of our registrars, two of which have lately even ranked among the 10 services with highest login count. The concept of linking a domain registry to a digital identity (eID) has long been the subject of many questions from foreign domain registries and numerous presentations at international conferences. Now it seems that other foreign registries decided to implement this concept.