ironDNS® is entirely primed for the new standard DNSSEC. It already employs NSEC3 according to RFC 5155.
There have been problems to establish DNSSEC in the market so far due to its complexity, despite the fact that all experts are convinced of the need to raise DNS security to the level necessary today.
ironDNS® therefore goes its own way to simplify the use of DNSSEC. A special module takes care of the complicated details required for zone signing and key management, including key rollover.
These processes take place in the background, without the user having to attend to it or being bothered in any way.
Two modes of operation
- In the active mode, ironDNS® takes over the whole organisation of the necessary steps. This is a “no worries” package, with ironDNS® informing the customer when a key rollover has taken place. Customers can then pass on the appropriate information to the next higher entity, for example their domain registrar, if necessary.
- In the passive mode, the customer takes care of the key management. The task of ironDNS® is merely to validate the keys.
In what follows, the left diagram shows the data flow between the involved parties in the case without DNSSEC. In the right diagram, the components for DNSSEC are added.
- 1a User logs in and creates a zone.
- 1b Customer's software creates a zone via SOAP.
- 2a/2b Empty zone object is created in the backend.
- 3 Fetcher receives request to fetch the zone data.
- 4 Zone transfer from hidden master NS.
- 5 Fetcher delivers zone data to backend.
- 6 Backend prepares zone and delivers it to all name servers selected by the customer.
- Steps 1-5 as in the first diagram.
- 6 Backend sends zone to DNSSEC module.
- 7 Backend receives signed zone.
- 8 Backend delivers signed zone to all name servers selected by the customer.
- 9 DNSSEC module is informed as soon as zone is on all name servers.
- 10 DNSSEC module creates DS record.
- 11a/12a User receives the DS record from backend via the control panel.
- 11b/12b Customer's software receives DS record from backend via SOAP.
- 13 User stores DS record in parent zone.
- 14a/15a User reports successful deployment of DS record via control panel.
- 14b/15b Customer's software reports successful deployment of DS record via SOAP.
- 16 Backend reports deployment of DS record to DNSSEC module. (This information is needed for a later key rollover.)