In the 1990s, the engineers of the Internet Engineering Task Force (IETF), the organization responsible for DNS protocol standards, came up with the DNS Security Extensions (DNSSEC). Their goal was to make the Internet safer by making it possible for end users to know: 1) that the data they receive from a web site actually comes from that site, and 2) to know that the data hasn’t been modified in transit.
That seems like something we should have been doing all along, but implementation of DNSSEC has been slow. So, why isn’t everyone using DNSSEC?
First of all, it has taken a while for the developers of the software DNS runs on to implement DNSSEC. Second, it takes effort on the part of web site owners to enable DNSSEC. It’s not a matter of just setting it up on your web host’s control panel; it requires the web host and the domain registrar to share cryptographic keys, so it has to be set up on the web host’s end and at the domain registrar.
This week, I had the opportunity to enable DNSSEC for about 30 domains registered through Enom. Recently, Enom made API calls available to resellers that allow them to enable DNSSEC on a domain using an HTTPS request. Currently, the URL used to make the API call to enable DNSSEC looks like this:
https://reseller.enom.com/interface.asp? command=AddDnsSec&uid=yourloginid&pw=yourpassword ¶mname=paramvalue&nextparamname=nextparamvalue...
It’s all those “paramname=paramvalue” pairs that are trying, especially if you’re dealing with a lot of domains.
So, what’s a developer to do? I’m always looking for a reason to build a web application that makes my life easier, so I built a simple web-based user interface called the “Enom DNSSEC Tool” and uploaded it to Github to construct the API call URLs for adding, deleting, and reviewing the DNSSEC records for Enom-registered domains.
I suspect it’s only a matter of time before Enom has their own UI for enabling DNSSEC, but until they do, feel free to download the Enom DNSSEC Tool on Github. If you have a reseller account at Enom and want to enable DNSSEC for a domain–or thirty–it will make the job much easier. Be sure to review the README on Github, which lists the requirements for using the Tool and the security issues related to its use.