Archive for category Uncategorized

DNSSEC once again plays a major role at this week’s ICANN meeting, taking place in Cartagena de Indias from December 5-10.

ICANN President Rod Beckstrom gave a report that opened the meeting, and noted:

Thanks to community efforts, DNSSEC is being deployed aggressively around the world. Fifty TLDs have been signed and are in the root, and at least 15 more are in the works. A number of new registry operators are implementing DNSSEC in top level domain zones. .net will be ready for DNSSEC validation this week – a major milestone – and .com is on track for validation by March 2011, when we meet in San Francisco for the 40th ICANN meeting.

Yesterday, a workshop on DNSSEC for Beginners featured speakers from VeriSign, Nominet and ISC, as well as Sparta’s Russ Mundy, a partner in the DNSSEC Deployment Coordination Initiative.   Go to the link for resources from the workshop, and listen to an MP3 audiocast here.

Noting that “we are now entering an exciting phase where DNSSEC can become an operational reality for everyone,” Initiative partners and a host of speakers will convene on Wednesday for an all-day DNSSEC Workshop.  Panels and presentations in this workshop will cover:

• DNSSEC adoption issues for registries and registrars and successful marketing approaches for DNSSEC.
• The diversity of approaches for implementing DNSSEC across both registrars and registries, with a focus on how the size of each organization affects the tools and technologies deployed.
• An overview of open-source DNSSEC tools.
• Presentations on the uptake of DNSSEC validating resolvers from a group of leading ISPs.
• Updates on regional and worldwide DNSSEC deployment activities.

Featured will be speakers from the Initiative and from Afilias, AusRegistry, Comcast, CZ.NIC, GoDaddy, ICANN, Internet Infrastructure Foundation (.SE), Internet Systems Corporation, LACTLD, Monster, NIC.br, Nominet, Public Interest Registry,  SIDN, SURFNet, and VeriSign. Remote participation can be accessed through this virtual meeting room. Links to presentations are already available, and transcripts will be available later this week at the main workshop link noted above.

VeriSign announced that it will offer a new in-the-cloud DNSSEC signing service to registrars to help them sign domain names and manage keys without investing in additional equipment and resources.  Pat Kane, Assistant General Manager of Naming Services at VeriSign, noted, “we want to do everything we can to encourage the adoption of DNSSEC, which is an essential tool for securing the Internet.”

The new service provides the initial cryptographic signing, routine re-signing of zone resource records and management of key rollover schedules and zone re-signing.  An evaluation period will be offered to VeriSign’s registrar partners to review the service; the offer ends at the end of 2011.

Japan’s registry service, JPRS, has announced it will introduce DNSSEC in .jp domain name services in mid-January 2011.  It noted:

JPRS regards DNSSEC as the most effective and feasible current solution against the security threats caused by frauds of DNS responses. Based on this view, JPRS has researched and developed the method of implementing DNSSEC into large-scale zones, while discussing operational technology and roadmap toward diffusion through collaboration with DNS-related parties from home and abroad.

At present, we are conducting tests and reviews of specifications in order to implement DNSSEC, as well as performing technological evaluation with a wide range of DNS-related parties listed below.

In addition to deploying DNSSEC in .jp and the domain name services it provides, JPRS will be “conducting promotional and educational activities and providing information to different DNS-related parties categorized as follows.”

Top-level domains for  Gibraltar (.gi), Mongolia (.mn), and the Seychelles (.sc) are now DNSSEC-enabled, Afilias has announced.  The move is part of “Project Safeguard” at Afilias, which now has 11 secured TLDs on its registry platform.

SIDN, manager of The Netherlands’ .nl zone and ENUM NL, has published the public key for .nl in the root and created a “Friends & Fans” program to encourage DNSSEC deployment and gain practical experience with the security extensions.

DNSSEC-experienced registrants now have “the option of publishing the ‘public keys’ for a small number of domain names,” and including them in the .nl zone file, beginning with sidn.nl, gigaport.nl and surfnet.nl.

SIDN CEO Roelof Meijer noted:

The Friends and Fans program is the next step towards the introduction of DNSSEC for all .nl domain names. That goal should be achieved by the end 2011. Over the last few months, we have seen market interest in DNSSEC really start to take off: about 60 TLDs (top-level domains) are now signed, compared with just 20 at the start of the year. In March 2011, .com is going to be signed as well, and we fully anticipate still greater interest in DNSSEC before the year is out.

At BlackHat in Abu Dhabi yesterday, security researcher Dan Kaminsky released “Phreebird,”  a free toolkit designed to show organizations how easy DNSSEC is to implement by letting them try it out.  Dark Reading notes:

The goal is to show how DNSSEC could be used to “bootstrap” trust — a.k.a. authentication — across organizations, he says, authenticating clients, business partners, customers, contractors, and other groups with one another….Kaminsky hopes to dispel concerns that DNSSEC will be complex, disruptive, and expensive to deploy in organizations. “Application developers don’t want to be cryptography experts,” Kaminsky says. “They just want the key … and to move on.”

You can find the new toolkit on the BlackHat website.

 IETF convened in Beijing, China, and DNSSEC’s deployment in Asian nations took center stage, including these steps forward:

• Afilias will collaborate with .asia to bring DNSSEC implementation to the domain. The DotAsia Organization oversees the “.Asia” top-level Internet domain name, and is a regional consortium that includes .cn (China), .jp (Japan), .kr (Korea), .in (India), .nz (New Zealand), and .ph (Philippines),  as well as the regional Internet organizations APNIC, APNG, APCERT, PAN and APTLD.
• DNSSEC is enabled for India’s .in top-level domain, Afilias announced.  The .in TLD represents more than 700,000 domains.
• AFNIC announced that the .wf top-level domain for the South Pacific island territory Wallis and Futuna has been signed with DNSSEC.

In other news, the registry for .eu top level domains (TLDs) EURid reports that 87% of the world’s TLD internet operators have yet to deploy DNSSEC.

ICANN’s Interim Trust Anchor Repository (ITAR), designed to help move DNSSEC deployment forward before the root zone was signed, is now being retired.  As of November 4, no new listings will be accepted. Existing listing are expected to be removed around November 18, and the entire service will stop in January 2011, ICANN announced.

Dozens of early DNSSEC-adopting top-level domain operators were able to use the ITAR to publish their trust anchor in absence of a signed DNS root zone. ICANN notes that the ITAR supported more than 100 such listing requests during its lifetime.

VeriSign has shared its plans for deploying DNSSEC in the .net and .com operational community. Matt Larsen of VeriSign issued the following schedules today:

The .net DNSSEC deployment consists of the following major milestones:

September 25, 2010: The .net registry system was upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.net. These DS records will not be published in the .net zone until
the .net zone is actually signed. Each registrar will implement
support for DNSSEC on its own schedule, and some registrars might be
accepting DS records for .net domains now.

October 29, 2010: A deliberately unvalidatable .net zone will be
published. Following the successful use of this technique with the
root DNSSEC deployment, VeriSign will publish a signed .net zone with
the key material deliberately obscured so that it cannot be used for
validation. Any DS records for .net domains that have been submitted
by registrars will be published in the deliberately unvalidatable
zone.

December 9, 2010: The .net key material will be unobscured and the
.net zone will be usable for DNSSEC validation. DS records for .net
will appear in the root zone shortly thereafter.

The .com DNSSEC deployment will occur in the first quarter of 2011 and
will consist of the following major milestones:

February, 2011: The .com registry system will be upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.com. These DS records will not be published in the .com zone until
the .com zone is actually signed.

March, 2011: A deliberately unvalidatable .com zone will be published.
Any DS records for .com that have been submitted by registrars will be
published in the deliberately unvalidatable zone.

March, 2011: The .com key material will be unobscured and the .com
zone will be usable for DNSSEC validation. DS records for .com will
appear in the root zone shortly thereafter.

The trinity:~shyam$: Inside Mozilla IT blog shared this look at “Implementing DNSSEC for mozilla.org,” noting that DNSSEC deployment was an internal goal last quarter.  Author Shyam “is the only person on the Mozilla IT team outside the USA,” and walks readers through nine steps of deployment with his tips and advice. He notes:

I’ve never had a chance to work hands on with DNS in a large setup…it has always been “managed” DNS and that was never much of a challenge. DNSSEC was an awesome goal to work on and I had a lot of fun working on it. At first sight, DNSSEC is a little daunting – fairly new technology with a gazillion specs and RFCs but once you get a hang of the concepts, it’s easy to work with.

The author plans on a “starting from scratch to DNSSEC ready” article next.