DNSSEC is an extension of the Domain Name System (DNS), the system that looks up the correct IP address associated with a domain name. DNSSEC addresses a number of vulnerabilities in DNS, thereby ensuring that internet signage is more secure and reliable. SURFnet is researching how DNSSEC can be implemented most effectively.

DNSSEC signing

SURFnet is one of the pioneers in the area of DNSSEC at both national and international level. In 2009, SURFnet implemented DNSSEC on its own infrastructure, and it has been offering DNSSEC signing as a service to its customers since 2010. 

DNSSEC signing adds a digital signature to the requested IP address information, so that the recipient can be sure that the IP address is the correct one. The RSA encryption system is used for that purpose.

Encryption: from RSA to ECC

In 2017 SURFnet will replace RSA with ECDSA, an encryption algorithm based on elliptic curve cryptography (ECC). The new algorithm is intended to prevent a specific type of DDoS attack ‒ the DNSSEC amplification DDoS. The transition will not affect the users of the SURFnet network.

SURFnet will share its experiences with the transition to ECDSA with member institutions and will share technical information on the DNSSEC blog 

More information

Start date
01 Sep 2008
Latest modifications 15 Aug 2016