The CZ.NIC Association, Czech national domain administrator, changed the system that generates and signs the .CZ zone using DNSSEC technology. Since last week, these processes are done by the Knot DNS authoritative server which replaced our BIND DNS deamon and special signing scripts developed in house. Generating and signing is now built upon a new core — more powerful, more secure and, thanks to Knot DNS developed in CZ.NIC Labs, also more flexible for future upgrades. Main changes are in hidden master servers on which the generating and signing happens.

"We decided for transition to the new system to boost the quality of the entire process of generating and signing the zone, specifically when it comes to its speed and security. To make it happen, we, obviously, used our own Knot DNS server. Knot DNS is one of the fastest authoritative DNS servers that can also facilitate signing using DNSSEC technology," says Zdeněk Brůna, the Association's CTO who has also commented on the whole process through a blog post (Czech only). "It was a very challenging change that required thorough preparation in both test, and production environment and consisted in multiple phases. The implementation of Knot DNS was successfully completed in the last week of April while the DNS traffic was not compromised at all."

The authoritative DNS server Knot DNS is developed in CZ.NIC Labs since 2011 and used also for infrastructure of other national domains, not only the Czech one. You can find more information about Knot DNS on the project's website.