DNSSEC

A short history of DNSSEC

[an error occurred while processing this directive]

We have only bits and pieces of information. What we know for certain is that, at some point in the early Twenty-first Century, all of mankind was united in celebration. Through the blinding inebriation of hubris, we marveled at our magnificence as we gave birth to A.I. DNSSEC.

-- Morpheus, the Matrix

Introduction

On this page a short history of DNSSEC is described. It is presented as a timeline stretching from ancient times (1983) up to the current year. DNS history is briefly touched upon, a full history is described in the first three paragraphs of 1.

As I'm only been involved with DNSSEC since the beginning of 2001 and this history is typed from the top of my head there may be things forgotten or down right wrong. Please don't hesitate to send us a message if something is not right (email addr. can be found at the bottom of the page).

DNS(SEC) History

1983

Paul Mockapetris invents the DNS and implements the first server: Jeeves.

1986

Formal IETF Internet Standard. Two RFC's describe DNS: 1034 and 1035.

1988

DNS begins to catch on the Internet.

1990

Steven Bellovin discovers a major flaw in the DNS 2. As DNS is already widely deployed on the Internet, the report is kept secret until 1995. In those years research is started on a more secure replacement of DNS.

1995

The article from Bellovin is published and DNSSEC (as it became known) becomes a topic within the IETF.

1997

RFC2065, a predecessor of 2535, is published.

1999

RFC2535 is published by the IETF. The DNSSEC protocol looks to be finally finished. BIND9 is developed to be the first DNSSEC capable implementation.

1999-2001

Although the RFC is finished and BIND is DNSSEC ready, deployment is stalling.

2001

Experiments show 3 that the key handling in RFC2535 is causing operational problems that would make deployment difficult if not impossible.

After various ideas and drafts (sig@parent) a new record was proposed: the DS RR, Delegation Signer resource record. With this record the operational problems of DNSSEC would be solved. Because this record has the special property of only existing at the parent zone it introduced some difficulties in the DNS protocol it self. Deployment of DNSSEC looks possible now, but the current code (ie. BIND9) does not understand the new DS record.

It is decided to rewrite 2535 into three new drafts:

• draft-ietf-dnsext-dnssec-intro - a introduction into DNSSEC
• draft-ietf-dnsext-dnssec-records - introduces the new records
• draft-ietf-dnsext-dnssec-protocol - details the protocol changes

2002-2003

The drafts are getting more refined and better, BIND9 snapshots start appearing that are capable of handling the new DNSSEC standard (2535bis).

NLnet Labs deceided to run a new experiment called SECREG (secure registry) to test 2535bis. The results of this experiment are documented in 4. In short the experiment showed that 2535bis is ready for deployment.

2004

The expectation is that the drafts are to be finished this year and that even the RFC could be published before 2005. Currently BIND9.3 and higher NSD2 and higher are capable of handling 2535bis DNSSEC.

2005

The three new drafts are on there way to the RFC editor. This means the new standard is almost official. Now we only have to wait for DNSSECbis to become the new standard.

2005 - March

The RFC's are published:

• RFC 4033
  DNS Security Introduction and Requirements
• RFC 4034
  Resource Records for the DNS Security Extensions
• RFC 4035
  Protocol Modifications for the DNS Security Extensions

2005 - October

Sweden (.SE) enables DNSSEC in their zone. This make .SE the first ccTLD to deploy DNSSEC.

At the same time RIPE NCC (ripe.net) is in the process of deploying DNSSEC in the reverse zones.

Bibliography

1 nominum.com/history.php
2 Bellovin. Using the Domain Name System for System Break-Ins, 1995
3 NLnet Labs .nl.nl experiment: C'T Article. "DNSSEC in NL" is the final report about this experiment.
4 DNSSEC in NL: secreg-report.pdf