Since the summer, internet service provider BIT has been signing not only domain names, but also reverse domain names (rDNS) for its customers. In other words, digital signatures (RRSIG records) are being attached when IP addresses (both IPv4 and IPv6) are translated back into host names.
Existing PowerDNS system
"We've signed all the IP ranges that we own, declares Sander Smeenk", BIT's Head System Manager. "Reverse DNS signing is much the same as forward DNS signing. We simply use our existing PowerDNS system to sign the reverse records."
"The one difference is that our public KSK (DS record) has to be deposited with RIPE NCC, the organisation responsible for the IP address space in Greater Europe and West Asia. They don't have an EPP portal for that kind of transaction, so we used their auto-dbm mail robot to deposit the key."
Customers who do their own reverse DNS management — in other words, those to whom BIT has delegated the DNS management of the address blocks that they use — can register their DNSKEY records with BIT. The ISP then adds them to the superordinate reverse zone, thus completing the cryptographic chain of trust.
"Because we can"
BIT didn't have a specific incentive for enabling DNSSEC on its reverse DNS. "We're comfortable with the technology and we have confidence in our production line", says Smeenk. "We're doing it because we can."
Marco Davids, Researcher at SIDN Labs, sees DNSSEC as less urgent for reverse DNS than for forward DNS. "The attack vectors on reverse DNS are much smaller. But there's certainly no harm in what BIT is doing: every little helps where DNS security is concerned. BIT's decision to enable DNSSEC on their reverse DNS shows that they are completely at home with the technology. DNSSEC is now becoming a standard feature of the DNS."