Welcome to DNSSEC THIS MONTH, May 1, 2006, Vol. 1, No. 1

Amy Friedlander amy at shinkuro.com
Mon May 1 14:37:21 EDT 2006

We're pleased to release the inaugural issue of DNSSEC THIS MONTH, our
newsletter monitoring progress in deployment activities and related topics
for government, business and higher education.  Please take a moment to look
it over and then forward it to folks who might be interested. You can also
view it online at http://www.dnssec-deployment.org/news/dnssecthismonth/.

Please also take a moment to subscribe:
news-subscribe at dnssec-deployment.org.

My apologies in advance for multiple messages that you may receive.




May 1, 2006, Vol. 1, No. 1

Welcome to the first edition of DNSSEC THIS MONTH, a monthly newsletter
about advances in securing the Internet's naming infrastructure in the
government, business and education sectors. Some 10 percent of servers in
the network today are vulnerable to domain name system (DNS) attacks, and
many experts expect a serious attack on the underlying infrastructure within
the next decade. The DNS Security Extensions (DNSSEC) Deployment
Coordination Initiative (http://www.dnssec-deployment.org), which produces
this newsletter, is part of a global effort to deploy new security measures
that will help the DNS perform as people expect it to -- in a trustworthy
manner. This newsletter will offer updates on new policies, early adopters
and advances in DNS security extension development. 

The U.S. Department of Homeland Security Science and Technology Directorate
provides support for coordination of the Initiative. 

To subscribe, please send a message to
news-subscribe at dnssec-deployment.org

To unsubscribe, please send a message to 
news-unsubscribe at dnssec-deployment.org   

65 percent of American voters say the U.S. government needs to make Internet
protection a higher priority.    2005 Cyber Security Industry Alliance
Editor:  Denise Graveline
Contact:  news-editor at dnssec-deployment.org
*  White House unveils R&D plan to boost IT infrastructure security:  A new
Federal Plan for Cyber Security and Information Assurance Research and
Development has been issued by the White House Office of Science and
Technology Policy, providing a blueprint for coordination of Federal R&D
across agencies that will maximize the impact of investments in this key
area of the national interest, according to John H. Marburger III, Science
Adviser to the President. The plan, available in a preprint here
(http://www.nitrd.gov/pubs/csia/FederalPlan_CSIA_RnD.pdf), notes the
expanding role of the domain name system, and with it,  an increased need to
assure the authenticity of the DNS responses and an increased possibility
that the DNS itself will be targeted for attacks.  Public comments on the
report were taken during April; to order a print copy of the report, click:

*  DNS Security Extensions (DNSSEC) on path to be included in new federal
standards:  DNSSEC has been proposed as part of a new standard that aims to
help federal agencies improve their information technology security and
comply with the Federal Information Security Management Act (FISMA) of 2002.
A plan for staged deployment of DNSSEC technology within federal IT systems
was included in recently released Draft Special Publication 800-53, Revision
1: Recommended Security Controls for Federal Information Systems.   NIST
800-53r1 specifies the mandatory minimum security controls necessary to
comply with Federal Information Processing Standards (FIPS) required by the
FISMA legislation (Federal Information Processing Standard (FIPS)
Publication 200, Minimum Security Requirements for Federal Information and
Information Systems; and FIPS Publication 199, Standards for Security
Categorization of Federal Information and Information Systems).   A recently
released NIST Security Guidance document (Draft NIST Special Publication
800-81, Secure Domain Name System (DNS) Deployment Guide) provides the
technical details and detailed implementation guidance to assist agencies in
deploy new DNS security measures with confidence. Agencies will have a year
after final publication to meet the requirements. See the news release here
(http://www.nist.gov/public_affairs/releases/securitystandard.htm), the
Federal Information Processing Standard (FIPS) Publications 199, 200
and Special Publications 800-81 and 800-53

*  Dot-aero endorses DNSSEC adoption, signs Afilias to provide it:  SITA,
the sponsor and operator of the .aero domain, has encouraged wider adoption
of DNSSEC and selected Afilias as the new registry operator for .aero;
transition of its registry services is already complete. SITA provides IT
business solutions and communications services to the air transport
industry.  In a statement, SITA announced it "believes that the adoption of
DNSSEC is important not only because of the greater incidence of security
breaches, but also because of the wider security implications of increased
data transfer within air transport operations." 

*  Internet2 Joint Techs Workshop leads to dot-edu advisory group on DNSSEC:
Internet2 has formed a dot-edu Internet2 advisory group on adopting the
DNSSEC, with participants from Educause, MIT, the University of Oregon,
REN-ISAC, University of Massachusetts-Amherst, University of Pennsylvania,
University of California-Berkeley and more.  Members of the group are
discussing the viability of establishing a cross-signing pilot project in
which a subset of Internet2 member universities would sign at least one of
their zones and exchange keys with others in the experiment.

*  Signed zones offer new examples of DNSSEC at work:  The DNSSEC Deployment
Initiative has signed its own domain name.  The primary name server
ns.shinkuro.com   will permit zone transfers for those who would like to see
an example of a signed zone.  Technical details are available at
In Russia, R01 (http://www.r01.ru/), a Russian registrar, is making a signed
copy of the .RU zone available on the name server ns.dnssec.ru
( Registrants with a .RU domain using R01 as a registrar can
sign their own zones and R01 will provide secure delegation in the signed
copy of the .RU zone. Additional information on the signed zone and how it
can be used can be found at http://www.dnssec.ru/.  The Swedish national
registry (.SE) was the first ccTLD   country code top level domain to
provide DNSSEC-capable service in November 2005, and the European
infrastructure services provider, RIPE NCC, based in the Netherlands, has a
major initiative in place to deploy DNSSEC in zones it manages. 

*  Workshops help networks, organizations deploy DNSSEC: While the protocols
needed to add additional security to DNS queries and responses exist,
network administrators and organizational leaders in all sectors need to
accept DNSSEC and put it to use.  To help them work through potential issues
and concerns about deployment, the Initiative conducts hands-on workshops
around the world:

o Most recently, a workshop at ICANN's New Zealand meeting in March, gave
Internet service providers a live demonstration and presentations from MIT
Lincoln Laboratory; MelbourneIT; Afilias Ltd.; UltraDNS; and Shinkuro, Inc.,
which coordinates the DNSSEC Deployment Initiative.

o Members of the Initiative team also presented a one-day DNSSEC workshop at
the Internet2 Joint Techs Workshop held in Albuquerque, NM, February 5-9.
(See a related plenary talk here

o Upcoming DNSSEC-related workshops include: an NSEC3 workshop, organized by
Nominet and DENIC, on May 8-10, 2006, in Frankfurt, Germany. The workshop
will focus on NSEC3 tools and implementation, and comprehensive testing of
the NSEC3 RR in NSEC3-only and NSEC/NSEC3 environments. Space is limited and
preference will be given to participants with previous NSEC3 involvement or
DNSSEC development or deployment experience. To inquire about registration,
go here (http://www.dnssec-deployment.org/feedback.htm)... DNSSEC Deployment
Initiative team members will present at AusCERT2006 Asia Pacific Information
Technology Security Conference in Gold Coast, Australia, on May 24, with a
tutorial on May 25. To register, go to

*  NIST online tool offers test for DNS Security Extensions:  A new online
instant test  from NIST allows you to check the integrity of a particular
zone, and whether it will conform to the proposed guidance under NIST
special publication 800-81 (see earlier item on proposed new federal
standards) by entering the zone name and the zone IP address.  Find the tool
at http://www-x.antd.nist.gov/dnssec under the "instant test" link.

(c) 2006.  Shinkuro, Inc.  All rights reserved


More information about the Dnssec-deployment mailing list