Packet Clearing House has introduced a free, open-sourced and publicly documented DNSSEC signing service for our ccTLD constituents. The service affords ccTLD administrators immediate DNSSEC compliance with no technical, financial, or administrative requirements, and is backed up by an extensive knowledge-transfer system that ensures administrators will be able to migrate part or all of their DNSSEC signing operation onto their own infrastructure over time.

The PCH DNSSEC signing service replicates ICANN's root DNSSEC signing mechanisms in all technical and security respects, but has the additional benefit of geopolitical diversity. Whereas the root is signed entirely within the United States, PCH's signing process occurs in parallel in Zurich, Switzerland; San Jose, California; and Singapore.

Throughout the system, we utilize the highest-security components, ensuring that a ccTLD that utilizes it will comply with all process and security audits that may be imposed. Furthermore, knowledge-transfer performed in a best-practices environment allows a ccTLD's staff to make informed technical and policy choices in designing their own system.


PCH's training will ease the steep learning curve of DNSSEC for TLD administrators by transferring implementation of the DNSSEC process to the domain administrator at their desired pace, while giving them full control at every stage. PCH does not charge for this fully-managed service - it is entirely free. Our DNSSEC Practice Statement, or DPS, as well as all of the other policy and process documents that define our key-handling regime are open-sourced and published under the Creative Commons license, ensuring that the expertise encapsulated in them is available to all, whether or not they choose to also use the operational aspects of our platform.

How the process works

The unsigned zone is transferred from the TLD Administrator's master server via a TSIG-secured connection. PCH utilizes an HSM-protected Zone Signing Key (ZSK) to place cryptographic signatures on the zone and any signed records within it, before transferring it to the authoritative publicly-visible name servers. To ensure security against "brute force" cryptographic attacks, the ZSK is transparently exchanged for a new ZSK ("rolled") at least every six weeks. Every year the Key Signing Key (KSK) is used to generate a new bundle of ZSKs in a key ceremony that can be performed by either PCH or the ccTLD administrator.

How to proceed

Contact PCH if you would like to secure your domain using our DNSSEC signing service. Participating domains can be fully DNSSEC compliant in as little as 48 hours, or over as long a period as you would like to take to gain confidence in the system. The service is and will remain free regardless of whether you choose to use all or only selected components of it, and of course all of our DNSSEC training and documentation are free, just like our training and materials for anycast, Internet exchange facilities, and the other critical infrastructure support services we provide.

To participate, contact our DNS services specialist, Robert Martin-Legène


Links