Red.es is responsible for the Assignment Authority of the geographic top level domains ‘.es’ (hereinafter, ccTLD - ‘country code Top Level Domain’), as well as the second level extensions ‘.com.es’, ‘.nom.es’, ‘.edu.es’, ‘.gob.es’ and ‘.org.es’.
The acronym DNS stands for “Domain Name System”, one of the most-used protocols on the internet and on any IP network in general. One of its main operations is to provide different IP addresses corresponding to DNS names in example, when a user types www.dominios.es into their web browser, an invisible DNS query is made to find the corresponding IP address, and this DNS resolution process is necessary because communication is always done with IP addresses.
On this page you can find out about:
1) INTRODUCTION
What is the architecture and operation of the DNS protocol?
The public DNS is hierarchical and distributed. DNS servers in each domain have information detailed in their own domain and information from the authoritative NS (Name Servers) for the subdomains. This list of NS associated with the subdomains is also referred to as delegations. Below is a simplified representation of the internet’s DNS tree:
Users generally have two DNS servers configured, a primary one and a secondary one. The latter is only used if the first does not work or is unreachable. These types of DNS servers are called “resolvers”. They give “non-authoritative responses and store information in cache for the duration of the TTL (Time To Live) or according to defined policies. If the answer for a query received from the client is not cached, they perform an iteration process, first querying the root servers, then the second level servers they have obtained in the first query, and so on down the DNS tree until they get the requested answer, provided by an authoritative DNS server of the queried domain. Once the response has been received, they store it in cache for a set amount of time and they respond to the client.
There are several software tools for DNS servers. The most common in TLD environments are: BIND, KNOT o NSD.
Why is DNS so important as an essential service?
Given that the majority access to applications is made through DNS, it is obvious that the DNS service is vital. For example, even if a website is operational, if the DNS resolution does not work, it will be unreachable for users.
The domain “.” (root) is the most important of all. If all authoritative servers in that domain fail, once the cache times out, no resolver will be able to obtain NS delegations from second level domains. A failure in all DNS servers of a second level domain (e.g. ‘.es’) could affect all subdomains of ‘.es’, and so on (the higher up in the hierarchy the failure, the greater the potential impact).
The European NIS2 (Network and Information Security) regulation categorises the DNS service offered by TLDs as an essential service of the internet, and establishes a series of obligatory and recommended compliance requirements (Directive - 2022/2555 - EN - EUR-Lex (europa.eu)).
DNS Related Terms Guide
Archivo PDF
76 KB
2) ANYCAST
What is the Anycast architecture of Red.es?
With the aim of providing robustness, security and trustworthiness to the DNS environment of ccTLD “.es”, 4 NS (Name Servers) are deployed which in turn correspond to the root domain according to https://www.iana.org/domains/root/db/es.
In turn, each one of these NS is composed of several nodes, which transparently provide service to customers (from the internet only a IPv4 and another IPv6 for each of the NS is observed, but actually behind them there may be several servers attending to DNS queries).
In the case of "a.nic.es," there is a traffic balancer that distributes requests across two servers. Currently, the "a.nic.es" DNS server is providing service in Unicast mode. Red.es is working to ensure that this DNS server will provide service in Anycast format in the future, increasing the resilience and high availability of the Registry's DNS infrastructure.
The other three NS are IP anycast addresses published on the internet by 3 different DNS anycast service providers. Each one of these IP addresses is published from different regions of the planet, with several nodes in each of the regions. The total number of nodes of the three providers is over 120, covering all continents.
This type of architecture has three main advantages:
- Highly resilience if some of the nodes fail.
- Better response times. Traffic reaches the closest nodes in terms of BGP routing, so this translates into better response times.
- Protection against denial of service attacks (DoS). The fact that the service is so spread out makes it very difficult to attack it as a whole.
As for protection measures against DoS attacks, each of the external providers has its own protection mechanisms, such as diverting traffic to Scrubbing Centres where traffic can be cleaned, and rate-limit configurations in the DNS servers themselves. For nodes located in Red.es, Anti-DoS mechanisms have been contracted with the internet operators, rate-limits are implemented in the DNS servers themselves, and the SOC can detect traffic anomalies with the information gathered from the network probes.
Below are a couple of diagrams from two of the anycast providers which give an idea of the global coverage of the DNS service.
https://www.pch.net/services/anycast
DENIC Anycast Nodes
The software used on Red.es’ own servers is BIND. Anycast providers have nodes at least in BIND and KNOT. Therefore, there is a diversification of software to provide DNS service.
3) DNSSEC
Benefits
DNSSEC provides:
- data source authentication
- data integrity
- “proof of non-existence of data”
The first two points are achieved with RRSIG type records, which are signatures generated with the ZSK (Zone Signing Key). The third point is achieved with NSEC or NSEC3 type records.
In turn, there is another key called KSK (Key Signing Key) which signs the ZSK key. To establish the chain of trust, a KSK hash is generated, called DS (Delegation Signer) which is published in the top-level domain. In this case, it is the root zone managed by IANA.
Key rotation
A Key rotation system is used (also called Rollover):
- ZSK. They are rotated more often, as the encryption algorithms are often less strong, allowing for higher performance in signing. The record is autonomous in this operation.
- KSK. Stronger encryption algorithms are used so the rotation period can be longer (2 years). It requires the publication of the new DS record in IANA and the subsequent deletion of the old one.
The orchestration of the entire DNSSEC signature is done with the OpenDNSSEC software, which in turn is linked to a high-performance cryptographic hardware (HSM Luna 7) where the keys are stored and the RRSIG signatures are generated. OpenDNSSEC is responsible for monitoring the lifetime of the signatures generated for the different RR groups, and for generating new signatures (RRSIG) before the old ones expire. A RRSIG record is valid for a set amount of time. For example, using the “dig” we can launch a NS type query for the domain “.es” to Google's recursive DNS (resolver)(8.8.8.8). In the query we add the option ‘+dnssec’ so that it also returns the RRSIG record. In addition to the signature, this record contains the validity dates and the key identifier with which the signature was generated:
How is the DNSSEC validated?
If a domain is signed, DNS Resolvers can validate the signatures, thanks to the chain of trust. The top-level domains, have a DS record from the subdomain signed with the DNSSEC of the top-level domain. This goes all the way down to the root, which is trusted by all (trust anchor). in the previous figure, the “ad” (Authentic Data) flag can be seen. This means that the resolver has correctly validated the chain of trust.
There are other graphic tools such as “dnsviz” which can help check the health status and coherence of different parameters of a specific domain in a straightforward way (in example https:/dnsviz.net/d/es/dnssec/ to validate the domain “.es”).
4) DNSSEC Service Configuration
To learn more about DNSSEC, please read the following documents:
• Instruction on implementing the DNSSEC Security Protocol Service for “.es” domain names [SPANISH]
• DNSSEC Policy and Practice Statement for the “.es” zone
DNS Information Guide
Archivo PDF
277 KB
5) IPV6
The letters IP stand for Internet Protocol. The protocol consists of a series of mechanisms used by devices (computers, mobile phones and routers, etc) to communicate within the network.
IPv6 is the Internet protocol version 6 and the successor of IPv4. It is a significantly improved version with substantial advantages over IPv4.
Find out more about IPv6 in the FAQ manual and the other useful links:
Frequetly asked questios about IPv6
Archivo PDF
98 KB
Useful links:
IPv6: Enabling the Information Society [ENG]
Action Plan for the deployment of Internet Protocol version 6 (IPv6) in Europe [ENG]
Guía para el Despliegue de IPv6 (Red Iris)
Taking the Lead on IPv6 [ENG]
IPv6 Forum [ENG]
Looking glass (Red Iris) [ENG]
Internet Society [ENG]
Comprueba tu conectividad
6 Deploy [ENG]