Archive for category Uncategorized

“Now is an opportune time for applications to begin to take advantage of some of the benefits that DNSSEC provides.”  That’s the message in a plenary session for app developers on DNSSEC at AppSec DC 2010,  a conference sponsored by The Open Web Application Security Project (OWASP) next month, November 10 and 11, in Washington, DC. 

Initiative partner Suresh Krishnaswamy of Sparta, Inc. will lead this November 10 session on “Providing application-level assurance through DNSSEC.”  It will include information on:

• A Firefox browser extension that supports various DNSSEC indicators;
• An API that has been developed and the modifications made to the application user interface;
• Encouragement for application developers to consider DNS security implications in their Internet and web applications.

Go here to register and learn more about the conference.

The Sandia National Lab DNS visualization tool, DNSViz, now has a new contact form through which you can share feedback on the tool.  Share your comments at http://dnsviz.net/contact/.

.ORG, the Public Interest Registry, has launched a “Practice safe DNS” campaign as part of the U.S. National Cyber Security Awareness Month, with the goal to “serve as a key resource for domain holders, registrars, web developers and IT professionals to learn how they can respectively play a increasingly relevant role in providing a safer and more secure Internet.”

The site includes video testimonials from Vint Cerf of Google, Initiative partner Steve Crocker of Shinkuro, Inc., Jim Galvin and Ram Mohan of Afilias, Dan Kaminsky of Recursion, and Cricket Liu, of Infoblox.  The campaign also is active on Facebook and Twitter.  The introductory video appears above.

Comcast has begun migrating customers to DNS servers using DNSSEC protections as part of its production roll-out of DNSSEC. Comcast executive director for Internet systems Jason Livingood tells us, “So far this year, our production deployment trial has been opt-in only.  Starting [this week], customer DNS IP addresses will start to change via DHCP lease updates.”  The announcement notes that:

Best of all, customers will not need to take any action and should not notice any changes to their service, though behind-the-scenes that service will be more secure. As the first major Internet Service Provider (ISP) to do so in the United States, our customers are among the first to be getting these new security capabilities, which is part of our continuing push for a more secure Internet experience for both our customers as well as the global Internet.

Livingood also notes that, as part of the roll-out, “we have deliberately broken DNSSEC for a domain so we and others
can test what happens when validation breaks.”  The results are here.

Comcast also has made available a DNSSEC public service announcement for its customers, featuring G4 Network’s “Attack of the Show” co-host Kevin Pereira:

DNSviz, a new tool from Sandia National Laboratories, aims to help users visualize the status of a DNS zone, showing DNSSEC authentication chain for a particular domain name and its resolution path in the DNS namespace. Designed as an aid in understanding and solving problems in DNSSEC deployment, the tool also lists configuration errors it detects.  (Above, part of the analysis for dnssec-deployment.org.)  Feedback is encouraged for the new tool.

Comcast has announced it will contribute $15,000 to an NLnet Foundation grant program designed to help open-source developers add DNSSEC features to their applications, in an effort to “help fund some developers to start working on DNSSEC-aware applications, and motivate others to do the same.”

NLnet describes the vision behind the fund this way:

Of course it is already a big win that the chain can henceforth be trusted up to the point where providers relay the answer to the client. But this is not good enough for perfectly normal use such as using a (potentially hostile) public wifi hotspot: for end users to fully benefit from DNSSEC in such cases, the software on the end user side should be able to validate DNSSEC signatures as well – especially on sensitive data like digital security keys and certificates. Most (but not all) applications depend on higher level services to handle DNS, which means that these service stacks need to be updated in all operating systems. Specific client software using their own built-in DNS services, like realtime communication software (e.g. SIP, XMPP), messaging servers and browsers, also will need to be adapted.

Comcast’s executive director for Internet systems, Jason Livingood, noted:

As Comcast and other ISPs implement DNSSEC, and domain owners start to cryptographically sign their domains, we can see a point in the near future where applications may start to show end users some indication that a domain has been secured with DNSSEC. This may be much like a web browser shows a special lock icon when a user visits a website secured with SSL.

Go here for more information or to apply for a grant.

Five Caribbean top-level domains have successfully deployed DNSSEC, including .ag (Antigua and Barbuda), .bz (Belize), .hn (Honduras), .lc (Saint Lucia), and .vc (Saint Vincent and the Grenadines).  The five TLDs are managed by Afilias.

ICANN research also offers this Venn diagram with updated statistics on top-level domain deployment of DNSSEC.  As of this writing, it reports:

dnssec.net has published the views of nine top executives and organizations on “DNSSEC Advantage: Reasons for deploying DNSSEC.”  Each viewpoint includes a look at the significance of steps leading toward deployment and asks questions about what lies in the future.

The series includes contributions from:

• Jeremy Hitchcock,CEO, Dyn, Inc.
• Warren Adelman, President and Chief Operating Officer, The GoDaddy Group
• Olaf Kolkman, Director, NLNet Labs
• Roland van Rijswijk, Technical Product Manager, SURFnet
• Paul Vixie, President, Internet Systems Consortium
• Anne-Marie Eklund Lowinder, Quality and Security Manager, .SE
• Mark Beckett, Vice President of Marketing, Secure64 Software Corp.
• Ron Aitchison, Author, Pro DNS and BIND
• European Network and Infomation Security Agency (ENISA)

Duane Wessels of VeriSign, Wes Hardaker of SPARTA/Cobham, and ICANN’s Mehmet Akcin presented on the signing of the root zone and updates on what’s happened since the root signing, at NANOG 50, the North American Network Operators’ Group conference in Miami this week.  Attendees heard about “benefits that can be gained from making applications DNSSEC-capable and some of the DNSSEC-capable applications that are available today.”  You can find all the DNS and DNSSEC presentations from NANOG 50 here.

EDUCAUSE Quarterly has published “Helping Secure the Internet with DNSSEC,” detailing the deployment experience within the lsu.edu domain at Louisiana State University. Authors John C. Borne, the university’s chief IT security and policy and LSU manager Allie Hopkins describe the university’s process and considerations in testing and deploying DNSSEC, and conclude:

From LSU’s perspective, we would very much like to see it grow and succeed through a rapid, yet voluntary, sequence of adoption. It’s a pretty solid bet that, whether by regulation or incentive, organizations will feel more pressure from governmental, standards, and industry groups attempting to induce adoption of DNSSEC. As more DNSSEC-aware appliances and applications come online, popular demand may combine with the influence of these groups to make DNSSEC nearly ubiquitous and allow it to deliver its maximum benefit. In adopting DNSSEC at LSU, we have ignored its imperfections. What other solution has a better chance of success? Despite weaknesses, or the many things it will not protect us from, DNSSEC still provides good protection and, more importantly, a basis upon which to build improved security for the Internet.

EDUCAUSE, a nonprofit organization, works to advance Internet issues within the U.S. higher education community.