In This Issue:

Operational root zone to be signed by end of 2009
DNSSEC in the Field session features global implementation news

DNSSEC Coalition examines consequences of deploying a signed root

Additional presentations covered transfer of registrations, trust anchor repositories, and other

HP, Dyn DNSSEC plans cited as deployment progress

ARIN advances DNSSEC deployment

DNSSEC webinar now available on demand

BIND 10 to offer more DNSSEC functionality?

African adoption of DNSSEC takes backseat to basic issues

Examiner looks at DNSSEC in wake of White House report

Operational root zone to be signed by end of 2009: The U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) announced it is working with the National Institute of Standards and Technology (NIST), the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign toward a 2009 signed root zone, a significant milestone in DNSSEC deployment. Speaking at the standing-room only DNSSEC Session at the ICANN meeting in Sydney, Australia, Ashley Heineman, NTIA’s DNSSEC Program Manager, said, “ICANN, as the IANA functions operator will be responsible for the root KSK management process. ICANN will also be responsible for the publication/distribution of the root key.” With respect to VeriSign’s role, Ms. Heineman said, “In addition to what they do today, which is generating the root zone file and distributing that file, in between those two processes they will now be responsible for signing the root.”

DNSSEC in the Field session features global implementation news: At the same session, a round up of “DNSSEC in the Field” offered updates from Australia (.au), Malyasia (.my), New Zealand (.nz), Singapore (.sg), Thailand (.th) and PIR (.org), with particular emphasis on the news that Malaysia’s zone is now signed, making it the first operational signed zone in Asia, and .org is now signed, making it the biggest signed zone and the first open gTLD signed zone.

• Mrs. Pensri Arunwatnamongkol, .th Technical Contact, THNIC Foundation, described the .th DNSSEC Deployment.
• Lance Wolak, Director, Marketing & Product Management, PIR, described the rollout and next steps for DNSSEC in .ORG. In their announcement they declared it “a significant milestone in our effort to bolster online security for the dot-ORG community.” .ORG was signed on June 2.
• Chris Wright, CTO of AusRegistry, demonstrated signing with only three commands.
• Lai Heng Choong, Head of Application, Database and Security – TNI, .my Domain Registry, described their closed testbed and forthcoming plans.
• Jay Daly, Chief Executive, .nz Registry Services, spoke on policy implications of implementing DNSSEC in .nz.
• Lee Han Chuan, SGNIC Technical Manager, described Singapore’s preparation and planning for the Implementation of DNSSEC.

DNSSEC Coalition examines consequences of deploying a signed root. The DNSSEC Industry Coalition held a symposium June 11-12 in Reston, VA discussing the potential problems and additional work to be done to deploy a signed root. A brief description of the symposium was given by Suzanne Woolf at the Sydney DNSSEC session. A full report will be issued in July.

Additional presentations covered transfer of registrations, trust anchor repositories, and other DNSSEC progress at ICANN. Rounding out a very full session on DNSSEC at the Sydney ICANN meeting were presentations from Joe Abley of ICANN on their DNSSEC capabilities for signing zones managed by the IANA group below the root, from Steve Crocker on the technical challenges of transferring registrations between registrars when the registrars are also providing signed name service for the registrants, and from Russ Mundy on the current thinking on trust anchor repositories.

HP, Dyn DNSSEC plans cited as deployment progress: Announcements by two more companies offering DNSSEC solutions were cited by Dark Reading as signs that DNSSEC deployment is “finally gaining some traction.” HP announced it would resell Secure64’s DNS Signer software, which fully automates DNSSEC and runs on the entry-class HP Integrity rx2660 and rx3600 servers. Dynamic Network Services, Inc. (aka Dyn Inc.) announced it has become the first managed DNS provider to offer DNSSEC on the Dynect Platform, which provides DNS service to hundreds of thousands of domains and more than 15 top-level domains.

ARIN advances DNSSEC deployment: The American Registry for Internet Numbers (ARIN) announced its DNSSEC deployment effort for its Reverse DNS zones would move forward July 1 following input from the ARIN community. Next steps include signing the zone, deploying it to the community and enabling ARIN's customers to register Delegation Signer (DS) records to their delegations.

DNSSEC webinar now available on demand: Infoblox has made available the June webinar “DNSSEC: What It Means for Your Network and DNS Security,” featuring IOActive’s Dan Kaminsky, Cricket Liu of Infoblox and Initiative partner and NIST computer scientist Scott Rose. The webinar runs just under an hour.

BIND 10 to offer more DNSSEC functionality? Internet News reports that BIND 10, a revision of the open-source DNS server, is expected to “make it easier for DNS administrators to actually manage DNSSEC…by improving usability,” such as full DNSSEC automation.

African adoption of DNSSEC takes backseat to basic issues: InfoWorld reports that DNSSEC deployment in Africa is “likely to take a long time as the continent tackles more fundamental Internet issues such as local management, automation and full security for all country code top-level domain registries.” The article notes a 2007 ICANN study of African ccTLDs reporting they are likely to adopt DNSSEC.

Examiner looks at DNSSEC in wake of White House report: Following a recent White House report on cybersecurity, Examiner.com published “The next big thing is cybersecurity, but what does it mean for us?” Interviewed was Initiative partner Douglas Maughan, Program Manager of the Cyber Security R&D Center in the U.S. Department of Homeland Security’s, Science and Technology Directorate.

© 2009. Shinkuro, Inc. All rights reserved.

WELCOME

Attacks on the Internet infrastructure are a reality - it's estimated that 10 percent of servers in the network today are vulnerable to domain name system (DNS) attacks.  And many technology experts believe that we will see a serious attack on the underlying infrastructure within the next decade.

The DNS Security Extensions (DNSSEC) Deployment Coordination Initiative is part of a global effort to deploy new security measures that will help the DNS perform as people expect it to - in a trustworthy manner.  This initiative builds on over a decade of work undertaken by many experts around the world, who developed the DNSSEC standard that was published by the IETF.

On this site, we have collected important information to help you learn more about the initiative; DNS attacks and their impact on your business, government agency, or home computing; information for adopters and potential adopters; and news and research to keep you informed about progress against this important security threat.

As of June 30, the SecSpider monitoring site showed 4543 DNSSEC enabled zones using both KSKs and ZSKs.

This web site is supported by the Science and Technology Directorate of the U.S. Department of Homeland Security.