RIPE Labs measures DNS transfer size
Posted by Graveline in Uncategorized on February 8, 2010
RIPE Labs has reported the initial results from an effort to measure DNS transfer size, to determine whether larger DNSSEC responses would pose problems once the K-root begins to provide DNSSEC responses to requesting resolvers, and whether the larger responses would reach the resolvers. From the article: “The good news is that the vast majority of measurements yield transfer sizes that will fit current DNSSEC answers from root name servers,” although “some resolvers that could experience time-outs and delays due to misconfigurations and middleware.”
Visual inventories track U.S., Sweden deployment
Posted by Graveline in Uncategorized on February 8, 2010
As DNSSEC deployment rolls out in government domains in the U.S. and elsewhere, we’re seeing more lists that visually display the status of deployment within a top-level domain. Here are some recent examples:
- From the U.S. .GOV TLD: Using a list of domain names taken from the web sites catalogued in the USA.gov website, Initiative partner Scott Rose of the U.S. National Institute of Standards and Technology wrote a script that queried which had a secure link from .GOV. The results, shown here, note that the “U.S. Federal Government maintains some domain names outside of the .gov gTLD. Likewise, there are state, local, and sovereign nation delegations found in .gov that are not required to deploy DNSSEC, but may deploy voluntarily.” Signed U.S. state domains include Vermont’s vermont.gov, vermonttreasurer.gov, and healthvermont.gov, the state’s health department; Idaho’s idaho.gov and idahobyways.gov from the state’s transportation department; Louisiana’s lacoast.gov, from the Louisiana Coastal Wetlands Conservation and Restoration Task Force; the Tennessee Valley Authority’s tva.gov; Utah Fire Info, a federal-state partnership; and Virginia.gov.
- From Sweden: Two separate pages display DNSSEC deployment progress among municipal domains and in public sector agencies there, with hundreds of sites listed.
DNSSEC overhead examined
Posted by Graveline in Uncategorized on February 3, 2010
Cricket Liu of Infoblox has posted a second article in his series on DNSSEC overhead. He notes:
…I’ve recommended that organizations deploying DNSSEC watch the CPU load on their recursive name servers carefully: As the proportion of responses that are signed increases, so will the load on their recursors. Ultimately, though, the ever-increasing speed of processors and networks will trump the burden DNSSEC adds. Years from now – assuming DNSSEC becomes widely deployed – we’ll look back at our concerns about the overhead of DNSSEC and chuckle. I hope.
Deployment watch: SWITCH turns on DNSSEC at Domain Pulse meeting
Posted by Graveline in Uncategorized on February 3, 2010
Circle ID reports that SWITCH, the registry for Switzerland’s .CH and .LI, was enabled yesterday at the Domain Pulse conference in Luzern. From the article:
SWITCH became the third ccTLD registry to enable DNSSEC giving registrants of .CH domain names added security following .SE (Sweden) and .CZ (Czech Republic)….At the Domain Pulse conference, Urs Eppenberger of SWITCH and Marc Furrer of the Swiss Federal Communications Commission (ComCom) enabled DNSSEC….”I am particularly proud of the fact that Switzerland is one of the first countries in Europe to introduce DNSSEC. This now guarantees security in the internet” said a delighted Marc Furrer, President of ComCom, in a statement.
Speakers added to DNSSEC FOSE program
Posted by Graveline in Uncategorized on February 2, 2010
New speakers have been added to the Initiative’s daylong session What’s Next in DNSSEC at the FOSE conference and expo in March in Washington, DC. New speakers include representatives from Afilias, BlueCat Networks, Data Mountain Solutions, F5 Networks, Nominum, Secure64 and Xelerance.
Preview: DNSSEC workshop at ICANN Nairobi meeting
Posted by Graveline in Uncategorized on February 1, 2010
ICANN’s Security and Stability Advisory Committee will convene a DNSSEC workshop at the Nairobi meeting on Wednesday, March 10, from 9:00 am to 12 noon. The program, intended for “anyone with an interest in the deployment of DNSSEC, especially registry and registrar representatives from technical, operational, and strategic planning roles,” is still in development. Thus far, updates are expected on these topics:
- Implementation of DNSSEC at the Root
- Operational issues with DNSSEC, including technical presentations on transfers and key rollovers
- Adoption Issues, including experience with hurdles and incentives
- Activities from the region
- Extending DNSSEC deployment
To register or learn more about the ICANN Nairobi meeting, go here.
AFNIC urges readiness for a signed root
Posted by Graveline in Uncategorized on January 29, 2010
AFNIC, the registry of the database of .fr (France) and .re (Reunion Island) Internet domain names, has issued this announcement to network administrators, inviting them to prepare for the advent of DNSSEC deployment at the root and offering preparation steps, links to resources and more.
Deployment watch: Nominet to sign .UK March 1
Posted by Graveline in Uncategorized on January 28, 2010
Nominet, the Internet registry for .UK domain names, has announced it will implement DNSSEC in zones it manages, beginning March 1, 2010 with the .UK top-level domain. The announcement notes:
With the signing of the root so close (scheduled for mid-2010), we have taken the decision not to include the keys in the major DNSSEC key stores…Instead, we will use the period as an extended operational test, waiting until the root goes live before publishing our trust anchor in the root zone.
The next phase will include signing .co.uk and other SLDs, Nominet said.
DNSSEC signed answers from L root server
The first root server (L) has started to serve up a signed version of the root zone. This is the first step in the live testing that will lead to a production signed root by the middle of the year. For information on the status of the root signing process visit: http://www.root-dnssec.org/
The root is intentionally publishing bogus signing keys, so the answers are not verifiable. Once the testing completes the actual keys will be published.
Current DNSKEY set advertised:
. 86400 IN DNSKEY 256 3 8 AwEAAa1Lh++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++
+++++++++++++++++++++++++++++++++++++++++++++++8
. 86400 IN DNSKEY 257 3 8 AwEAAawBe++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++8=
. 86400 IN RRSIG DNSKEY 8 0 86400 20100204235959 20100121000000 19324 . NO9bHgWYB3wQlVZXQKwDGUjTgIyfz1i8aWH8nBlT5isnYbr6PTfR4fWlSx8+avFfR0fVekauaQelKOyiUav4H9Y1AZ2OBguu7RjozQu1qErKboWd1NglIIOGar0Ol4Ur9+
4bo2LSxjp/X4ESypW0lX04z5uB6DZZei1zafzRGUnLIMdV9xdKEOJrm9UCKvYK5g8bjRq8KA8vT+
pidexZMrBQ3ie8R9daf/s6VK7zUJK0jF1vqhPbZFSQmBpJUlxh4VnOv7nnhcq4Moj49wqmNxKRqfvSwHAJBG6dEgShnlu/rfVsdxfFUCjIGX8YnSC7lYqODwgUGh+i/arA AK+bzg==
Deployment watch: 15,000 Czech domains signed “in one go”
Posted by Graveline in Uncategorized on January 27, 2010
The Czech registry CZ.NIC announced yesterday that nearly 15,000 Czech domains (14,236) were signed yesterday, all at once. WEB4U, one of the largest Czech registrars with 21,000 registered .CZ domains, decided to implement DNSSEC in all its registered domains, automatically and free of charge.
The CZ.NIC Association launched DNSSEC in October 2008 and says it registered 1414 DNSSEC-protected domains by the end of 2009. CEO Ondrej Filip said:
We greatly appreciate WEB4U’s decision because it will significantly contribute to the security of not only the Czech Internet. By doing so, we also point the way to other countries which are currently launching the technology. DNSSEC is important in particular for those who seek the highest possible security of their information on the Internet. Among these are banks or e-shops on whose websites the visitors often enter sensitive personal data such as user names and passwords, credit card numbers etc.
Recent Comments