Last Update: 22 October 2010
JPRS Plans to Implement DNSSEC in JP Domain Name Services in January 2011
|Updated: 22 October 2010|
On 18 October 2010, we started signing JP zone with DNSSEC.
We, JPRS, have developed a plan to implement DNSSEC [*1], the technology that adds improved security to the Domain Name System. Currently, we are working on preparation for the deployment in JP domain name services on 16 January 2011. The purpose of this document is to present a background of the implementation and future actions.
*1 DNSSEC: DNS Security Extensions
DNS is a vital mechanism which provides the core function of the Internet, and its operational stability is required in line with the growing importance of the Internet as part of the social infrastructure. In addition, under the circumstance where security threats caused by frauds of DNS responses have turned into reality, a strong demand for worry-free DNS which excludes these threats has grown in late years.
Aiming at improving DNS security, IETF [*2] advanced the consideration to establish the security extension of DNS called DNSSEC. DNSSEC adds signatures to DNS responses with the public key encryption scheme. This enables receivers of the DNS response to validate whether or not the response is correct and complete.
JPRS regards DNSSEC as the most effective and feasible current solution against the security threats caused by frauds of DNS responses. Based on this view, JPRS has researched and developed the method of implementing DNSSEC into large-scale zones, while discussing operational technology and roadmap toward diffusion through collaboration with DNS-related parties from home and abroad.
At present, we are conducting tests and reviews of specifications in order to implement DNSSEC, as well as performing technological evaluation with a wide range of DNS-related parties listed below.
In July 2010, ICANN [*3] introduced DNSSEC in DNS Root Servers, the highest stratum in the DNS. This contributes to the development of an environment promoting DNSSEC deployment among TLDs. Based on these circumstances, JPRS determined to implement DNSSEC in JP domain name services on 16 January 2011.*2 IETF: Internet Engineering Task Force
*3 ICANN: Internet Corporation for Assigned Names and Numbers
Actions to be taken by related parties
DNSSEC is a mechanism to validate integrity and authenticity of DNS response, which is realized by supporting DNSSEC on both DNS providers' and users' side. Consequently, various DNS-related parties need to move ahead on their own plan to handle DNSSEC.
JPRS will continue to focus on deploying DNSSEC in JP DNS and JP domain name services provided by JPRS itself, while conducting promotional and educational activities and providing information to different DNS-related parties categorized as follows.Operators of authoritative DNS server
As DNS forms a hierarchical structure stretched from the root, it is demanded that DNSSEC be introduced into all the layers of DNS from the highest layer of root DNS to DNS at the TLD level and DNS server for each domain name.- Operators of the other TLD registries
Use of DNS does not close within the national borders or respective TLDs. With a view to contributing to spread of DNSSEC over the whole Internet and enhancing DNS security, JPRS will further pursue information exchange among the TLD registries.- DNS server operators for each JP domain name
DNSSEC requires specific procedures including signing DNS information and registering signing key information in DNS server for each domain name. Targeting the operators of each JP domain names, JPRS will keep on providing information on DNSSEC operation through seminars and the media.Operators of cache DNS server
Validation of DNS responses in DNSSEC is done by cache DNS servers administered in ISPs, universities and companies. JPRS will carry on building deeper cooperation with domestic ISPs and developing activities such as providing information on DNSSEC operation through seminars and the media.JP Registrars
To enable JP domain name registrants to use DNSSEC service provided by JPRS, it is required that the services of JP Registrars support DNSSEC. JPRS is going to cooperate with JP Registrars to promote the arrangement of DNSSEC service environment.Internet users
Internet users are not required to take any special action, as the necessary validation on the users' side is done in the cache DNS servers of their providers such as ISPs. However, it is important for the users to be aware of DNSSEC and whether he/she is in the environment supporting DNSSEC or not. To help ensure this circumstance, JPRS is going to provide explanatory information on DNSSEC for the users.
As mentioned above, we will continue to promote actions by various related parties toward dissemination of DNSSEC, with an eye to implementing DNSSEC into JP domain name services in January 2011.
Oct. 2010 Start signing JP zone with DNSSEC (Completed on 18 Oct. 2010)
16 Jan. 2011 Introduction of DNSSEC in JP domain name services
(Registration of signing key starts, and DNSSEC service will be provided in JP DNS)
|28 July 2010||First published.|
|22 October 2010||We started signing JP zone with DNSSEC on 17 October 2010, and we decided to implement DNSSEC into JP domain name services on 16 January 2011.|