Archive for category Uncategorized

“Lessons from the Trenches: Deploying DNSSEC” is an Afilias webinar targeting country code top-level domain registries with an hour of “key questions to ask yourself when deciding upon DNSSEC deployment parameters and timeline”  and “infrastructure changes required for your registry and DNS systems to support DNSSEC.”

Scheduled for 11:00 am EDT on June 9, the webinar speakers include Initiative partner and Shinkuro CEO Steve Crocker, along with John Kane, vice president, corporate services and Ram Mohan, vice president and chief technology officer, Afilias; Rickard Bellgrim of the .SE registry; and Lauren Price of .ORG and the Public Interest Registry.   Registration is required.

ICANN will delay by two weeks–to July 15–the scheduled July 1 deployment of DNSSEC at the root zone.  On that date, ICANN will distribute a “validatable, production, signed root zone” and publish a trust anchor. The announcement noted:

The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems

As reported today in The H Online, “all 13 root servers are now serving a signed version of the root zone.”  And, despite numerous rumors circulating on the web, the article notes:

There have been no reports of any problems in the immediate aftermath of VeriSign’s J root server starting to serve DNSSEC signatures. Experts at the 60th RIPE meeting in Prague were almost unanimous in predicting a glitch-free switchover, following the successful switchovers of the other 12 root servers in recent months. The only apocalyptic note was sounded by a countdown to the demise of the unsigned root zone.

The article discusses next steps, including disclosure of a public key and a June key signing ceremony that will bring together volunteer crypto officers and recovery key share holders from around the world.

EDUCAUSE notes that registration is almost full for its April 29 webinaron DNSSEC in the .edu Domain, featuring Becky Granger, EDUCAUSE director of information technology and member services, and host Steve Worona.  You’ll find additional background resources and links on DNSSEC on the webinar registration page.

Two speakers from the DNSSEC Deployment Coordination Initiative–Shinkuro CEO Steve Crocker and U.S. National Institute of Standards and Technology computer scientist Scott Rose–will speak at Internet2’s Spring 2010 meeting next week in Arlington, VA, as part of a panel on DNSSEC.   Joining them will be Shumon Huque of the University of Pennsylvania; Anthony Iliopoulos of Louisiana State University; and Rodney Peterson of EDUCAUSE.  The meeting will take place April 26-28 at the Crystal Gateway Marriott in Arlington; go here for registration and more details.

Afilias Executive Vice President and Chief Technology Officer Ram Mohan urged registrars, registries, ISPs, enterprises and developers to get a DNSSEC strategy in a blog post today, noting that “DNSSEC is not pie-in-the-sky talk any more. It’s a reality as current and pressing as the need to migrate to IPv6…if you haven’t started planning for DNSSEC yet, you should start to wonder whether you’re behind the curve.”  For application developers, he looks ahead, noting, “DNSSEC creates an entirely new piece of Internet infrastructure upon which software developers can apply their ingenuity. Over the next few years we should expect to see applications leveraging domain name security in ways we cannot imagine now.”  The post includes a video and an overview of recent progress toward DNSSEC deployment.

The Internet Protocol Journal has just published an article about Rolling Over DNSSEC Keys, authored by George Michaelson and Geoff Huston of APNIC; Patrick Wallström of .SE; and Roy Arends of Nominet.  The editor notes that the article examines “what happens in two widely used DNS resolver implementations when DNS clients lag behind in synchronizing their local copy of trust keys with the master keys used by the zone administrators to sign their DNS data.”  Here’s what the authors conclude: 

….in this situation of slippage of synchronized key state between client and server, the effect is both local failure and the generation of excess load on external servers—and if this situation is allowed to become a common state, it has the potential to broaden the failure state to a more general DNS service failure through load saturation of critical DNS servers.

This aspect of a qualitative change of the DNS is unavoidable, and it places a strong imperative on DNS operations and the community of the 5 million current and uncountable future DNS resolvers to understand that “set and forget” is not the intended mode of operation of DNSSEC-equipped clients.