According to statistics disclosed by the Hong Kong Computer Emergency Response Team Coordination Centre, the number of security incident reports increased by over 22% to 6,058 reported cases in 2016 compared with 2015. Many attacks targeted the Domain Name System (DNS) which is one of the basic building blocks of the Internet that translates Web addresses into numerical IP addresses and serves as a phone book for the Internet.
- What is DNSSEC?
The core functionality of the DNS was designed and implemented more than a decade ago. However, there have been concerns about the trustworthiness of data in the DNS.
To mitigate these concerns and enhance the trustworthiness of the DNS, an extension to the DNS protocol set called DNSSEC was introduced.
It can conduct data origin authentication and ensure data integrity through the Key Pairs and Digital Signatures technologies. Key Pairs are just like keys on a safe deposit box, where you would need to use two keys simultaneously in order to open the box.
- How does it work?
With key pairing and digital signature technologies, each DNS query can be verified via the “chain-of-trust” and conduct data origin authentication. Digital signatures are used to verify the unique identity of a DNS record. By verifying the signature with the DNS record, DNSSEC is able to ensure data integrity.
- Why do we need DNSSEC?
The vulnerabilities of DNS raise both economic concerns (in terms of revenue losses, fraud and brand damage) as well as a security issues for users (identity theft) and companies (traffic redirection).
With the use of DNSSEC, we can rest assured that .hk domain services are reliable and trustworthy, directing all traffic to the right websites.
Key benefits are:
- providing an extra level of security to improve reliability, trustworthiness and quality of the DNS
- helping ensure that Internet users are directed to the websites or services they expect when they enter domain names into their browsers
- safeguarding the online environment and strengthening trust in the Internet
- DNSSEC needs your help
Given that Hong Kong is a global financial hub, securing the administration of domain name infrastructure is crucial to the Internet community here. HKIRC’s signing of DNSSEC was supported by ICANN. After the DNSSEC-signed .hk has been enabled at the Internet’s root, we hope to see more collaboration within the Internet community on embracing the technology for better Internet security.
It is important for domain registrars and Internet stakeholders in Hong Kong to include DNSSEC deployment in their development schedule. By working together, we could further our commitment to fostering a safe Internet environment on a secured DNS for .hk -- a core part of Internet’s global addressing system in the online world.
- Join us
We invite you to join us for the soft launch of DNSSEC through test runs on sample domain names. You are welcome to contact us via email@example.com. Also, the DNSSEC leaflets are available for you to view or download. For enquiries, please call 2319 2303.
- Operational readiness
The security practices in operating DNSSEC services for .hk and .香港are available. All the procedures along with specific tasks for respective parties have been specified and documented in the DNSSEC Practice Statement. For details, please refer here.
With DNSSEC, your participation or your domain name registrar plays a critical role in linking your signed domain to the higher-level name servers to form a “chain of trust“. This trust relationship begins at the “root” of the DNS system, then goes to the top-level domains (“hk”) and then to second level domain names (“hkirc.hk”) and on from there. On the other hand, the Internet Access Providers shall also switch on DNSSEC validation in their DNS services (“DNS resolver”). Therefore, we set up three example domain names for you to test the effects of DNSSEC validation. They are:
- DNSSEC Quick Start Guide
DNSSEC Quick Start Guide provides the steps on how to enable DNSSEC for your .hk domain names. The recommended process for registration of changes to a DNSSEC-enabled .hk domain names is available here. Let’s get started!