Anton Lindstrom (about, @twitter, @github)

DNSSEC implementation in Sweden


The single biggest web hosting company in Sweden, Binero signed all their domains and made a big impact on total signed domains. The signing frenzy caused that about 1 in 10 domains in Sweden are now secured with DNSSEC.

DNSSEC Statistics for .se Source: .SE

I realized today that I was using Binero's nameservers for my domain which they also signed. So, the domain was signed but there were no DS-records that would make the domain valid. This also meant that while the RRSIG was there but not the DS-record it caused the domain name to be invalid. I had the domain name at another registrar and decided to change both name servers and registrar to DNSimple which I have heard much good about. It is not very advanced but for this domain it will suffice. For more advance usage and labs I will use my domain which I am using with my own name servers.

In the recent few weeks I have been signing over 10k domains for another domain name host in Sweden, which I am very proud to say turned out very well. There was a really smooth transition and I really felt like contributing to something which was also really nice. As I had just a little knowledge of DNSSEC at the start of the project I had to learn about it in just a few weeks and then implementing it.

The first problem was that some parts were not very good documented and it was a lot to grasp in a short time. I needed to upgrade nameservers, research common problems and how to implement in a way that would not interfere with the original implementation. In the end it worked out very well without any major problems. Some parts are still left to complete the project but over all I am very pleased with how it turned out.

From this project I learned that persistence is the key and I'm sure that some weeks were more than mere 40 hours of work to get a grasp of everything. Legacy implementations can sometimes bite you in the ass. Technical debt should be prevented by having good documentation, commented code and what I would prefer, configuration management. So, by documenting well and using configuration management the implementation phase would have gone faster ans smoother. The DNSSEC learning however were some well spent hours and in the end DNSSEC is very similar to other techniques used for validating in a chain of trust.

A great way to start 2012!