October Update

Lavinia Pop

October Update

HDD migration at SSD

To obtain the best results for the functionallity of the services the we offer we try constantly to introduce the latest software and hardware technology for our future Hostico customers and also for the existing ones. That is the reason why we decided to migrate all of the common hosting servers from storage with mechanical devices (SATA III) to those with the SSD (Solid-State Drive) type. In this moment the migration to SSD was finalized for more than 50% of the hosting equipment and the rest of it are in migration process. The operation leads to a short time for response for all the services that we offer and also a large capacity of supporting your application needs.

Kernel Care

For eliminate the required maintenance operations for the kernel Linux updating, we anounce the instalation of KernelCare aplication. Thanks to the type of functioning the GNU/Linux operating systems, their kernel is upload automatic when the equipement is started and the update needs the equipement to be restarted. This update brings the interruption of the services that we offer during server restarts. This type of mentenance operations are undesirable but ignoring them can lead to serious security vulnerabilities with serious consequences on long term. The problem is that these updates are published frequently and interrupting constantly these services is not a viable option.

Hostico technical team choose for the installation of KernelCare, application that processes the updates automatically without the need of restarting the equipment and this way eliminating completly the related interruptions. The updates on kernel are inserted by KernelCare in a special way that do not affect the functionality or the server performance, practically being unnoticeable.

DNSsec

Hostico team is always searching for innovative ways of services improvements. Improving services is not limited only to optimization for reducing the response time of an application, the loading time of websites or more efficient communication with the customers but it also refers to a better security and it has the purpose to limit as much as possible the eventually damages.

In this case we have the great pleasure, as we had it before for another services, to introduce for the first time in Romania for a services hosting provider, the DNS zones signed as DNSSEC.

To understand what DNSSEC means for our less tehnical customers we will make a summary of the way that DNS works and also the protection offered by DNSSEC.

DNS

As humans, it is easier for us to remember names than numbers, but the computers works with numbers. So what we try to visit on the internet using the name (hostico.net) it will be transformed by computers in numbers, in this case named IP (77.81.1.1). This transformation is made by using DNS (Domain Name System).
Getting this IP is done in several ways, as shown below:

  • 1. After typing the name in the web browser, if this website has not been accessed recently and the IP is not in the cache of the computer then it will query DNS servers set by the internet connection. Usually are those set by the internet service provider.
  • 2. If the DNS does not have the IP stored than it will query ROOT nameservers. ROOT nameservers are the servers that do not contain the IP DNS servers for the internet extensions accesed (.ro.net , .org , etc.). They will answer our query DNS with DNS server IP address from which we can obtain more information on the specific servers accessed ROTLD in this case .
  • 3. ROTLD servers will respond as to obtain the requested information domain name servers to query one of hostico.ro as like ns1.hostico.ro , ns2.hostico.ro , ns3.hostico.ro or ns4.hostico.ro .
  • 4. At the Hostico nameservers query , the provider’s DNS servers will recieve the hostico.ro alocated IP and it will provide it further to our computer for acces.
Security issue

Although it is difficult, an attacker could appear in the communication line above the beginning of the process of obtaining IP and instead of IP address assigned to the website to respond with an IP that it has under control. So you can reach another website possible identical to the website you wish to visit and it could store all confidential information sent( username, password , etc. ).

DNSSEC
  • DNSSEC prevents IP falsification by by applying signatures on DNS zone si publishing it in DNS zone and also in TLD zone. For signing DNS zone are used severals key types:
  • ZSK (Zone Signing Key) – The key wich sign the records form a DNS zone.
  • KSK (Key Signing Key) – The key wich sign the ZSK

After applying these two keys on the DNS zone the next step is the signing procedure which involves a file that is generated amounts to be forwarded to the registrar community. These values ??are displayed by cPanel plugin DNSSEC and are Digest Type, Digest , Key Tag Algorithm and they must be entered in the control areas.
Dns zone being sign DNSSEC at the reception of IP the DNS customer can check if this record is signed as registered or assigned the domain so it can determine the validity of data received.

To introduce DNSSEC signature in the register will be added both registrations submitted by cPanel plugin DNSSEC in the order they appear.
Registration 1 - Digest Type , Digest, Key Tag, Algorithm
Registration 2 - Digest Type , Digest, Key Tag, Algorithm

Later that domain signature verification can be checked by accessing the area http://dnssec-debugger.verisignlabs.com/nume-domeniu , ex : http://dnssec-debugger.verisignlabs.com/hostico.net. All the fields must be green for the signing of DNSSEC to work properly.

For the moment,ROTLD registrar does not accept the using of DNSSEC extension for .ro domains, but it is implemented for the most popular extensions: .com , .net , .org , .biz , .info , etc. All DNS zones hosted by Hostico are signed DNSSEC but for finalizing the procedura, the signatures values must be completed in the control panel of domains offered by registrars , of course in case that the extension and the registrar supports DNSSEC.

Comments

Published on October-28-2015