IE Domain Registry t/a .IE

Internet security and standards We adhere to RFCs which document the official Internet specifications, communications protocols and procedures published by the Internet Engineering Task Force (IETF), an open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. Internationally, hackers and bad actors launch attacks which attempt to use the DNS to infiltrate or incapacitate corporate networks and government infrastructure. In addition to Anycast, referred to below, our national .ie registry system supports Two Factor Authentication (2FA), Registry Lock and Domain Name System Security Extensions (DNSSEC) which helps reduce the risk to our .ie customers. DNS Security Extensions (DNSSEC) – is important because it strengthens authentication in DNS using digital signatures based on public key cryptography. In order for DNS servers to verify that the information they receive about .ie domains is reliable, we use DNSSEC. It creates a chain of trust within the DNS infrastructure that guarantees that the response you receive has not been tampered with in any way. This provides an extra layer of trust for domain holders and their customers. If the chain of trust is broken, your browser will notify you with a pop-up warning. From a technical perspective, DNSSEC works by digitally signing records for DNS lookups, using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone, which is the trusted third party. Registry Lock – To protect domain holders from any unintended or unwanted changes to their account details, such as changing the name of the domain holder, we offer the Registry Lock service. The service ensures that any required modifications to domain details are controlled and managed through a manual authorisation process, using pre-set user- specific pass phrases. The .ie Domain Name System (DNS) infrastructure explained The Domain Name System (DNS) infrastructure for .ie includes a network of nameserver locations around the globe, illustrated in Chart 1 on page 25. The lookup or resolution service for .ie domain queries is performed at all nameserver locations. A critical component of this nameserver infrastructure is the use of ‘Anycast’ load balancing technology provided to us by the secondary nameserver service providers. This ‘Anycast’ facility protects against a Denial of Service attack (DDoS attack) by allowing the geographical distribution of .ie domain lookup requests to any available DNS resolver for redundancy. This effectively localises the potential adverse effects of the DDoS attack, by preventing it spreading across the entire network. For the .ie namespace, this means increased system efficiency, faster response times, reduced potential for outages, and increased resilience against deliberate or malicious attacks. It is important to note that even if our physical locations, staff and primary nameserver were wiped out (an unlikely scenario) and no action was taken to invoke emergency plans (an even more unlikely scenario), then service to .ie domains would continue for a minimum of 30 days without any intervention. Obviously, new registrations, changes and deletions would not take place but crucially, existing domain holders’ websites and email would continue to function normally during this time, using the secondary nameserver locations around the world. Business and Market Review IE Domain Registry CLG t/a .IE / Annual Report & Review 2020 24