Return to Events

IIJ to Adopt DNSSEC Expansion Method to Improve Security on DNS Services

dl button PDF [62 KB] 17 January 2011

TOKYO--January 17, 2011--Internet Initiative Japan Inc. (IIJ, NASDAQ: IIJI, TSE1: 3774), one of Japan's leading Internet access and comprehensive network solutions providers, today announced that in order to improve domain name system (DNS) security, it will upgrade all of its DNS-related services, such as the DNS Outsourcing Service, to be compatible with DNS Security Extensions (DNSSEC) on January 31, 2011.

DNS performs a function for linking IP addresses with host names. Normally, when a client computer communicates with a specific server, for example, the client computer sends a request to the DNS that manages the domain information for that server, and based on the information received back from the DNS, the computer communicates with the specified server. However, DNS cache poisoning (*1), a type of attack that exploits this system, become wide spread in the 1990s, which created the risk of receiving false information from the DNS. The Kaminsky Attack (*2), which made DNS cache poisoning relatively easy, was discovered in 2008 and became a very large security risk. Computers that receive false DNS information as a result of these attacks are vulnerable to a number of threats, such as being forwarded to harmful sites or having their webpage or mail content altered, and since the DNS function itself is rendered inoperable, it may have a huge impact on the entire Internet, which is why improving DNS security has become a critical mission.

DNSSEC uses electronic signatures as a means of confirming that DNS data has not be falsified, and since 1994, the IETF(*3) has been examining the specifications. (*4) The integrity of DNS can be verified by using a private key and public key arrangement, and thus this is considered the most effective means of defeating security threats that abuse the DNS system. Adoption of DNSSEC is growing in every country in the world.

As the name suggests, the root server is the source of DNS on the Internet, and as of the summer of 2010, the root servers are fully DNSSEC ready, and with the DNSSEC conversion of Japan Registry Service Co., Ltd. (JPRS), IIJ's DNS services will also be made DNSSEC compatible. By using DNSSEC enabled services, client's can keep their DNS servers secure without any specialized knowledge. DNSSEC has just begun to be adopted around the globe, and because there is not a lot of technological knowledge or expertise available regarding implementation, it is easier to get the benefits of DNSSEC through these services rather than implementing it on one's own.

IIJ will continue to expand the use of DNSSEC enabled services in the future.

(*1) An attack that overwrites DNS information to direct people to other sites and the user cannot access certain domains.

(*2) A new type of attack created by Dan Kaminsky in 2008, which makes DNS cache poisoning more effective.

(*3) Internet Engineering Task Force: A volunteer organization to promote standardization of Internet technology.

(*4) The current specifications (RFC4033, 4034, and 4035) were adopted in 2005 (RFC5155, which sets out the NSEC3 method, was adopted in 2008).

DNSSEC enabled services

Service Implementation
DNS Outsourcing Service Signature and key renewal and management for relevant zone information
DNS Secondary Service When the primary DNS is DNSSEC enabled, the secondary DNS server with IIJ is automatically DNSSEC enabled.
General-use JP domain management service and
Organizational Type JP domain management service
Perform registration of DS (delegation signer) for upper-level DNS servers