Signing the gov.au zone

Matt Goonan

The gov.au zone was signed by the .au registry operator on 2 April 2019.

Signing the gov.au zone is a small, but important step towards helping owners of gov.au domains protect their users against domain spoofing and cache poisoning attacks on gov.au domains.

Defending the Domain Name System

The Domain Name System (DNS) is one of the world’s largest distributed databases, mapping human-friendly names (for example, www.australia.gov.au) to IP addresses (for example, 151.101.54.217).

Every online interaction a citizen performs with government – from logging in to myGov, to checking the local transit authority’s bus timetable or paying car registration – relies on those mappings being correct and authoritative.

The original implementation of the DNS in 1983, was not built with security in mind.

Domain Name System Security Extensions (DNSSEC) use well-known public key cryptography techniques to enable authoritative DNS servers to provide signed DNS data in response to DNS queries.

DNSSEC was developed to combat attacks where an attacker can cause incorrect answers to DNS queries to be stored in the DNS cache of resolvers or devices, in turn, causing those devices, or any devices configured to use those resolvers, to connect to incorrect websites or Internet services (for example, sending an email to an incorrect destination email server belonging to the attacker).

A workflow showing how DNS spoofing works. It shows both a client and an attacker accessing the DNS. The client issues a request to a real website, while the attacker injects a fake DNS entry. The DNS then directs traffic to either a fake website in the case of a fake DNS entry, or a real website.- Source: Incapsula (CC-BY) [https://www.incapsula.com/web-application-security/dnssec.html]

Extending the Chain of Trust

As governments in all Australian jurisdictions continue to invest in the delivery of services over digital channels, the security of the foundational layers of our digital infrastructure warrants further inspection and scrutiny. As registrar for the gov.au domain space, it is our role to facilitate changes to the registry that will enable agencies to implement DNSSEC if they so choose.

The signing of the gov.au zone has provided a trusted link in the chain for DNS queries between .au and third-level gov.au domains (for example, ato.gov.au, my.gov.au). This is a key step in helping agencies meet Criteria 5 in the Digital Service Standard which says that agencies should put the most appropriate security measures in place for the services they’re operating.

You can observe a detailed visualisation of this chain of trust using the DNSviz tool applied to dnstest.gov.au.

Piloting DNSSEC

DNSSEC is a well-established technology, operating for more than 10 years. However, we want to make sure everything works smoothly when we implement DNSSEC in the gov.au space. In coming weeks, we will be working with several Australian Government agencies to pilot DNSSEC on real-world gov.au domains. We will share the results of that pilot once it concludes. 

Enabling Cybersecurity Uplift

We are working closely with the Australian Cyber Security Centre (ACSC), .au Domain Administration (auDA), the Department of Communications and the Arts (DoCA) and Afilias (the .au registry operator) to deploy DNSSEC in accordance with our DNSSEC Practices Statement (DPS) with agencies who choose to do so.

If you are a gov.au registrant considering a deployment of DNSSEC on your domain, you should first confirm that your DNS service provider supports it.

Further Reading

Related DTA Blog Posts

Matt Goonan is the Chief Technology Officer at the DTA.