Archive for category Uncategorized

Reflecting on the 25th anniversary this week of the Internet Engineering Task Force (IETF), chair Russ Housely pointed to DNSSEC and IPv6 as two standards that represent the group’s strength in anticipating needed standards. He told Computerworld:

Sometimes the IETF sees a need before the marketplace is ready to embrace it. This leads to the standards being in place before the service providers are ready to deploy. DNSSEC and IPv6 are two examples. So working on global deployment of these completed protocols to offer new capabilities is one challenge. Yet the capabilities offered by these protocols is necessary for the continued growth of the Internet as a trusted platform for communications and innovation used by billions of people around the world.<!—->

Responding to a presentation by Dan Bernstein in which “much of his representation of DNSSEC — and his own replacement, DNSCurve — was plainly inaccurate,” security research Dan Kaminsky offered a thorough tutorial about DNSSEC that addressed some of the interpretations and in the Bernstein presentation.

Kaminsky notes that the Bernstein presentation is  “actually a pretty good summary of a lot of latent assumptions that have been swirling around DNSSEC for years — assumptions, by the way, that have been held as much by defenders as detractors.”

DNSSEC’s Problem With Key Rotation Has Been Automated Away
DNSSEC Is Not Necessarily An Offline Signer — In Fact, It Works Better Online!
DNS Leaks Names Even Without NSEC3 Hashes
NSEC3 “White Lies” Entirely Eliminate The NSEC3 Leaking Problem
DNSSEC Amplification is not a DNSSEC bug, but an already existing DNS, UDP, and IP Bug
DNSSEC Does In Fact Offer End To End Resolver Validation — Today
DNSSEC Bootstraps Key Material For Protocols That Desperately Need It — Today
Curve25519 Is Actually Pretty Cool
Limitations of Curve25519
DNSCurve Destroys The Caching Layer.  This Matters.
DNSCurve requires the TLDs to use online signing
DNSCurve increases query latency
DNSCurve Also Can’t Sign For Its Delegations
What About CurveCP?
HTTPS Has 99 Problems But Speed Ain’t One
There Is No “On Switch” For HTTPS
HTTPS Certificate Management Is Still A Problem!
The Biggest Problem:  Zooko’s Triangle
The Bottom Line:  It Really Is All About Key Management

VeriSign announced this week that Arbor Networks, Infoblox and RioRey have completed testing their technology solutions in the VeriSign DNSSEC  Interoperability Lab, which evaluates “how equipment will interoperate in a DNSSEC-enabled environment.”  A10 Networks, BlueCat Networks, Brocade, Cisco Systems and Juniper Networks also have tested their solutions in the lab.

The company also announced it is introducing a new iPhone app, DNSSEC Analyzer, described as a “mobile tool that can assist in diagnosing problems with DNSSEC-signed names and zones. The application will allow a quick diagnosis of any domain name, allowing knowledgeable users to view debugging information and receive useful tips on how to remediate any problems that are discovered.”

VeriSign is expected to complete DNSSEC deployment in .com by the end of the first quarter of this year.  Go here to find more on its efforts to assist DNSSEC deployment.

Japan Registry Services (JPRS) announced January 16 that it has deployed DNSSEC in the .jp country-code top-level domain. The announcement outlined the registry’s deployment process:

JPRS considers that DNSSEC can effectively prevent the security threats caused by bogus DNS responses. Based on this understanding, it has introduced the specifications in Japan and performed testbeds and demonstrations in cooperation with the DNS operators at home and abroad with an aim to deploy DNSSEC. On October 17, 2010, JPRS started signing the JP zone and registered the key information (DS resource record) of the JP zone in the root on December 10, 2010. After confirming that the JP zone was properly validated by the root zone key as a trust point, and that existing DNS infrastructures were not adversely affected, JPRS has completed the deployment of DNSSEC in the JP domain name service this time.

Founder and president of the nonprofit Internet Systems Consortium (ISC) Paul Vixie will now be chairman and chief scientist of the company, with Barry Greene succeeding him as president. In making the announcement, Vixie cited the importance of deploying DNSSEC:

There are two huge technical crises arising simultaneously. The Internet is running out of address space and at the same time the level of criminal activity is increasing sharply. It’s the perfect storm. We need to deploy IPv6 and DNSSEC more or less simultaneously, and we need to develop and deploy, quickly, new technologies and new methodologies to measure and understand what is happening out there. I need to turn my full attention to these pressing and difficult problems…

PowerDNS now offers PowerDNSSEC, an online signing tool that is ready for trial in test zones.  Bert Hubert of Netherlabs Computer Consulting BV notes that “PowerDNS is carrier-grade supported open source. We expect our DNSSEC implementation to be suitable for deployment soonish. PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight  changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts.”

• NSEC
• NSEC3 in ordered mode (pre-hashed records)
• NSEC3 in narrow mode (unmodified records)
• (as discussed here earlier in the week)
• Being a ‘signing-slave’ for legacy hidden master
• Zone transfers (for NSEC)
• Import of ‘standard’ private keys from BIND/NSD
• Export of ‘standard’ private keys
• RSASHA1
• “Pure” PostgreSQL, SQLite3 & MySQL operations
• Hybrid BIND/PostgreSQL/SQLite3/MySQL operation

You can access documentation for PowerDNSSEC and  use a wiki to learn more about PowerDNSSEC configuration, help and known issues.

ICANN has released findings from its August 2010 survey of national computer security incident response teams or CSIRTs.  Surveys were distributed to 55 CSIRTs with national responsibility, via one of four channels: the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) (distributed worldwide), the European Network and Information Security Agency (ENISA, covering the European region), APCERT (covering the Asia-Pacific region) and the Organization of Islamic Conference-CERT secretariat (OIC-CERT, covering Islamic countries) to 55 CSIRTs with national responsibility.  The full report notes that “the survey results are not comprehensive enough data to draw any broad conclusions.”

The U.S. Department of Homeland Security is mounting an effort similar to this initiative promoting DNSSEC deployment, this time for the Internet’s routing protocol, border gateway patrol, or BGP.  Similarities between the two efforts were noted in an interview with Network World, Douglas Maughan, Ph.D., who directs the cybersecurity division in the DHS Science and Technology Directorate. Of DNSSEC adoption, he said:

I’m optimistic. Over 60 zones are signed. The key thing in my mind was the result of .org’s operational experience. They saw minimal impact of DNSSEC to their operational performance. Everybody was claiming that the impact would be a 30% to 50% performance hit, but .org will tell you that’s not the case. We’ve been able to shake out any performance concerns that the naysayers had and show them that it works. Now we’re getting .net and .com signed. We’re starting to have discussions with CISOs of major companies like PayPal and Google to say that now that .com is being signed, what are your plans? We’ve made a lot of progress this year. We signed the root, and some said that would never happen.

Maughan also noted that he would encourate corporate CIOs to “to get on the DNSSEC bandwagon as soon as they can, especially if they are a dot-com. This becomes a way for them to provide another layer of security for their own infrastructure and for the people who use their infrastructure.”

Government Computer News reports that the U.S. financial services industry will team up with the U.S. Department of Homeland Security and the U.S. National Institute of Standards and Technology on cybersecurity research and development, with the goal of speeding commercialization of cybersecurity research in a critical sector.  The move could ease DNSSEC deployment with the creation of new testbeds and other efforts.

A White House blog post by Aneesh Chopra, U.S. chief technology officer, and Howard A. Schmidt, cybersecurity coordinator and special assistant to the President, notes that Financial Services Sector Coordinating Council (FSSCC)’s ” participants include banks, credit unions, insurance companies, payment services, trading firms, and others…[It] supports research and development initiatives to protect the physical and electronic infrastructure of the banking and finance sector and to protect its customers by enhancing the sector’s resilience and integrity.”

Both NIST and the DHS Science & Technology Directorate are partners in the DNSSEC Deployment Coordination Initiative, and GCN notes that “NIST also has worked with DHS in establishing testbeds for advanced networking tools and security technologies such as the DNS Security Extensions (DNSSEC) and Border Gateway Protocol Security. This early work could speed the establishment of a test environment for financial services, Romine said. “A lot of the groundwork has been laid.” Charles Romine is the acting associate director for laboratory programs at NIST.

Read the full memorandum of understanding here.

VeriSign announced today that DNSSEC has been deployed in the .net zone, noting it the zone is the:

…largest yet to be DNSSEC enabled, with more than 13 million domain name registrations worldwide. The .net signing also represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions.

The announcement came at the end of the ICANN meeting in Cartagena, which featured DNSSEC in the president’s opening statement, a DNSSEC for Beginners workshop and a full day session on deployment in the region and around the world.

VeriSign expects to sign the .com zone in the first quarter of 2011.  During the ICANN meeting this week, VeriSign executives pointed to a Forrester Research study–expected to be released next week–that they say demonstrates increasing demand for DNSSEC in enterprises, fueled by higher customer demand.