In This Issue:

ICANN Cairo meeting focuses on DNSSEC November 5

Dot-CZ signed

Report tests DNSSEC on broadband routers and firewalls

U.S. government move to sign dot-GOV applauded

DNS inventor addresses DNSSEC for messaging group

Internet 2 to New Orleans

Swedish workshop to train TLD operators in Stockholm

NIST, Secure64 offer workshops in October, November

ICANN to Cairo

IETF to Minneapolis

ICANN Cairo meeting focuses on DNSSEC November 5: DNSSEC will be the focus of a November 5 workshop at the ICANN Cairo meeting, from 1-2:30pm local time. Among the topics expected on the agenda are:

• DNSSEC performance in DNS servers and resolvers when DNSSEC is added will be reviewed, with a discussion of known factors and remaining questions.

• DNSSEC around the world, featuring speakers from top-level domains that are deploying or planning to deploy DNSSEC.

• Update from SSAC on its statement on DNSSEC deployment in its publication SAC026. SSAC will give an update on the status of those recommendations.

See the workshops section below for registration links for the conference.

Dot-CZ signed: The zone for dot-CZ, the Czech national domain, has been signed and DNSSEC was launched September 30, with the registry opened to the public on that date. The move is the last step in a deployment plan announced in March by CZ.NIC, which operates the domain name registry for the dot-CZ domain and the 0.2.4.e164.arpa (ENUM) domain, as well as the CZ top-level domain. The Czech ENUM domain was signed and a master key published in April, making the Czech Republic the first country to implement DNSSEC for ENUM. The DNSSEC key for the dot-CZ domain is published here.

Report tests DNSSEC on broadband routers and firewalls: Nominet’s Ray Bellis and Lisa Phifer of Core Competence have published a report detailing the “DNSSEC Impact on Broadband Routers and Firewalls.” Two dozen residential Internet router and small office/home office (SOHO) firewall devices commonly used with broadband services were tested. The authors concluded that just 25 percent of the units operate with full compatibility to DNSSEC “out of the box,” and 37 percent can be reconfigured to bypass DNS proxy incompatibilities, but the remainder cannot be reconfigured to do so. The report also looks at potential impacts on DNSSEC use by broadband consumers and implications for manufacturers. See the full report here; it also was presented at the DNS-OARC workshop September 24 in Ottawa. Core Competence’s participation in this study was supported by Shinkuro, Inc., The Internet Society, ICANN, and Afilias, Ltd.

U.S. government move to sign dot-GOV applauded: The U.S. government’s recent decision to sign dot-GOV and mandate all federal agencies to deploy DNSSEC received wide attention and praise last month. In a post on CircleID, PIR noted that “dot-ORG applauds the US Government's decision” and renewed calls for the signing of the root zone. The Ubuntu Evangelist quoted Bruce Van Nice, director of product marketing at Nominum, also praising the government’s leadership role as setting a good example for other organizations waiting to deploy DNSSEC. "The reality is, we don't know if it's gonna be hard to do until someone does it," he said. "I think the beauty of the internet is that's the essence of how and why it works -- that someone actually has to go and implement the protocol and when they do that, learn what does and doesn't work." Nominum provides IP address infrastructure software.

DNS inventor addresses DNSSEC for messaging group: Paul Mockapetris, inventor of the domain name system and Nominum chairman and chief scientist, spoke to network operators, mailbox providers and others at the Messaging Anti-Abuse Working Group in Fort Lauderdale, Florida, in late September. The members-only meeting featured Mockapetris speaking twice, on "DNSSEC: Real World Implications" and "What should we learn from 25 years of the Internet: A DNS case study."

Workshops help networks, organizations deploy DNSSEC: While the protocols needed to add additional security to DNS queries and responses exist, network administrators and organizational leaders in all sectors need to accept DNSSEC and put it to use. Here’s a roundup of speakers and sessions that may help you work through potential issues and concerns about deployment:

• Internet 2 to New Orleans: Internet 2 will hold its member meeting in New Orleans, Louisiana, October 13-16. A DNSSEC “birds of a feather” or BoF meeting will take place October 15 from 12 noon to 1:15pm; Louisiana State University will discuss its experiences with DNSSEC and their plans to deploy before year-end in a session from 3 to 4pm, also on October 15.
• Swedish workshop to train TLD operators in Stockholm: Dot-SE will convene a workshop on DNSSEC and IPV6 deployment October 20, followed by its “Internet Day”, October 21, and a training workshop for TLD operators October 22-24 in Stockholm. Top-level domain operators from 13 European nations are expected, along with attendees from Malaysia and dot-ORG
• NIST, Secure64 offer workshops in October, November: The U.S. National Institute of Standards and Technology and Secure64 will offer hands-on DNSSEC deployment workshops this fall for U.S. government DNS operators to help them understand, pilot and deploy DNSSEC technologies in accordance with FISMA and the recent Office of Management and Budget policy calling for DNSSEC deployment across all U.S. federal agencies. Workshops will be held October 29 in Golden, Colorado, and November 5 in Gaithersburg, Maryland. Participants will learn what DNSSEC does and how it works; how FISMA controls relate to DNSSEC; how to develop essential DNSSEC deployment policies and practices; how to use open source technologies and tools to deploy DNSSEC; what NIST has learned from its deployment experience; and how automated signing products can greatly accelerate and simplify deployment. Go here to register for the workshops and for more information. Registration is free, and recommended, as seating is limited. (Secure64 also offers video tutorials on DNSSEC deployment on YouTube.)
• Reminder! ICANN to Cairo: ICANN will convene its 33rd meeting in Cairo, Egypt, November 2-7. The DNSSEC workshop takes place November 5. Find registration and other meeting details here.
• IETF to Minneapolis: The 73rd IETF meeting will take place in Minneapolis, Minnesota, November 16-21.
  

© 2008. Shinkuro, Inc. All rights reserved.

WELCOME

Attacks on the Internet infrastructure are a reality - it's estimated that 10 percent of servers in the network today are vulnerable to domain name system (DNS) attacks.  And many technology experts believe that we will see a serious attack on the underlying infrastructure within the next decade.

The DNS Security Extensions (DNSSEC) Deployment Coordination Initiative is part of a global effort to deploy new security measures that will help the DNS perform as people expect it to - in a trustworthy manner.  This initiative builds on over a decade of work undertaken by many experts around the world, who developed the DNSSEC standard that was published by the IETF.

On this site, we have collected important information to help you learn more about the initiative; DNS attacks and their impact on your business, government agency, or home computing; information for adopters and potential adopters; and news and research to keep you informed about progress against this important security threat.

As of September 30, the SecSpider monitoring site shows 1532 DNSSEC enabled zones using both KSKs and ZSKs.

This web site is supported by the Science and Technology Directorate of the U.S. Department of Homeland Security.