Comcast’s vice president for Internet systems, Jason Livingood, updated the company’s progress in deploying DNSSEC today. Noting that the company has signed more than 90% of its domain names, Livingood called on banking and commerce domain owners to sign their domains. From the blog post:

Since 2010, our deployment has steadily progressed and we have reached a couple of significant milestones. First, Comcast owns thousands of domains such as comcast.com. We have now cryptographically signed more than 5,000 of our domains, representing over 90% of our domain names. Second, we now have 50% of our 17.8M Internet customers using our DNSSEC-validating servers. We expect to complete signing all of our domain names and having all of our customers use our DNSSEC-validating servers in early 2012.

Now that millions of Internet users in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially for commerce and banking-related sites, to begin signing their domain names. PayPal has already taken this important step, which we applaud, and we encourage other domains to follow their lead.

The SANS Institute, which operates the Internet Storm Center, has awarded the 2011 U.S. National Cybersecurity Innovation award to the U.S. Department of Homeland Security’s Cyber Security Research & Development Center. The center is part of the agency’s Science and Technology Directorate’s Cyber Security Division, which sponsors the DNSSEC Deployment Coordination Initiative, which works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet’s naming infrastructure as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors.

The institute announced that the award recognizes the creation of  “a federal cybersecurity research and development program that ensures that the research funded by federal agencies has a practical effect in reducing cyber risk….This has required the R&D community to think beyond the theoretical and to consider a more practical horizon.”  It noted that “In particular, DHS S&T’s long-term support of DNSSEC ensures that public users of online government services are confident the website they visit and over which they transmit information is an authentic government website and is secure.”

“It’s gratifying to see our six years of support for DNSSEC recognized in this way,” said Douglas Maughan, Ph.D., who directs the DHS division for cyber security R&D. “DNSSEC is a great example of how research can pay off, through a process that continually calls upon researchers to focus on work that can result in real products and real risk reductions.  DNSSEC today is providing increased security for the Internet infrastructure and is impacting Internet operations organizations, private industry, and the U.S. Government.”

Edward Rhyne, the division’s program manager, accepted the award from White House Cyber Coordinator Howard Schmidt at the National Cybersecurity Innovation Conference in Washington, DC, on October 11.

The Network Startup Resource Center has posted an album of photos from the recent DNSSEC workshop at the ICANN meeting in Dakar, including this photo of Initiative partner Steve Crocker, CEO of Shinkuro, Inc. and chairman of the board of ICANN.

Wes Hardaker demonstrates the DNSSEC-Nodes utility, which is a graphical DNS visualization tool from the DNSSEC-Tools software suite. The tool is intended for visually demonstrating and debugging DNS and DNSSEC deployments.

A variety of individuals and institutions have been opposing two congressional legislative proposals that would impact DNSSEC. Among them:

• Google Executive Chairman Eric Schmidt spoke against the two legislative proposal in a speech at the MIT Sloan School of Management, calling them “draconian” and “censorship.”
• The Brookings Institution has issued a new report, Cybersecurity in the Balance: Weighing the Risks of the PROTECT-IP Act and the Stop Online Privacy Act, calling the legislative proposals “the first legislation that pits our cybersecurity priorities against entrenched economic interests, highlighting a very real social choice.”
• Writing on the Public Knowledge policy blog, Ernesto Falcon writes about the recently unveiled Federal Bureau of Investigation’s Operation Ghost Click, “a multi-year operation that dismantled an international cyber ring that hacked into four million computers worldwide,” using vulnerabilities in the domain name system to do so.  Falcon, a former aide to U.S. Representative Bart Stupak (D-Mich.), wrote “Hopefully, Operation Ghost Click will show Congress that DNSSEC has extraordinary value to the public and should not be sacrificed for minimal gains against Internet piracy.”

A new report from InterConnect Communications compares the United Kingdom’s progress in deploying DNSSEC with that of European Union member states and other G20 nations. The report also looks at the progress of UK registry Nominet, compared to other national registries in DNSSEC deployment, and identifies technical and economic barriers to deployment, as well as barriers preventing adoption and deployment by UK hosting providers, Internet Service Providers and businesses. From the report:

 The crucial barrier to DNSSEC deployment in the UK is an economic and commercial one: lack of concrete demand in commercial settings. The UK is now in a position to see if a small set of early adopters will lead to the critical mass necessary for ISPs, hosting companies and registrars to begin offering DNSSEC related services and products.

The report also concludes that “The UK is the second largest Country Code Top Level Domain (ccTLD) in Europe and is now ready for wide-scale production deployment of DNSSEC for .UK domain holders. Amongst G20 nations, the UK is also the second largest of the signed zones ready for production.”

The 52-page report offers extensive analysis of UK and European deployment and corporate adoption of the protocols as well as comparative data from G20 nations.

• Presentations from the recent DNS Easy 2011 Workshop at the Global Cyber Security Center in Rome, held in October, are now online, including those on evolution in the DNS, potential impact of failure in DNSSEC validation, DNSSEC automation and monitoring and more. Presenters included representatives from China, Italy, Japan, the Netherlands, and the U.S.
• Minimizing Information Leakage in the DNS, by Scott Rose and Anastase Nakassis  of the U.S. National Institute of Standards and Technology addresses signed DNS nodes, which have “an unfortunate side effect of signed DNS nodes: an attacker can query them as reconnaissance before attacking individual hosts on a particular network.” The paper offers options for minimizing zone information leakage while retaining the benefits of DNSSEC-signed zones.
• DANE: Taking TLS Authentication to the Next Level Using DNSSEC, by Richard L. Barnes, appears in the most recent issue of the IETF Journal. It notes that, “while DANE holds the promise of more direct authentication, it will also create some new security challenges” and require DNS operators to “play a more critical role in securing applications.”  The journal editor noted “The advent of DNSSEC deployment raises the intriguing possibility of using the DNS as a secure repository for certificates in the future. In our cover article, Richard Barnes offers a detailed overview of the DANE working group’s efforts to make this possibility a technical reality.”

ICANN 42 has begun in Dakar, Senegal, running from October 23-28. DNSSEC deployment is featured on the program in two key sessions at the meeting:

• DNSSEC for Everybody–A Beginner’s Guide, taking place on Monday at 16:00, will cover the basic and core concepts of the domain name system and the chain of trust, as well as real-world examples of DNSSEC in action. Presenters include Roy Arends and Simon McCalla of Nominet; Norm Ritchie of ISC; and Russ Mundy of Cobham. An agenda and options for virtual participation are included at the link.
• DNSSEC Workshop, a half-day session beginning at 8:30 on Wednesday,  will look at DNSSEC deployment around the world; share best practices for deployment in ISPs; review top-level domain deployment updates; and discuss blocking and DNSSEC, DNSSEC in the wild, and the  long-term consequences of DNSSEC deployment and IPv6.  The panels will include speakers from AFTLD, Cobham, CZNIC, DENIC, Global Cyber Security Center, ICANN, IKS-JENA, ISC, .KE, .NA,  NIC.FR,  NSRC/TRSTECH and AfriNIC, PIR/Afilias, Shinkuro, .SN, and VeriSign. Presentations, an agenda and remote participation options are at the link.

In congressional testimony on the security implications of cloud computing,  John Curran, President and CEO of ARIN, the American Registry for Internet Numbers, noted the importance of DNSSEC and IPv6 in securing the cloud:

These new standards are quite important in protecting the global Internet from cybercrime, in that they insure that Internet users reach the actual web site that they intended to, and that their communication is protected in the process. When it comes to agency use of cloud computing services, these protections are equally important, since these services are reached over the public Internet.

Curran said it is “crucial” that the Federal Risk and Authorization Management Program or FedRAMP program “clearly and unambigously incorporates DNSSEC and IPv6.”  He testified before the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the House Homeland Security Committee,

NANOG, the North American Network Operators’ Group, convenes its 53rd meeting in Philadelphia beginning Sunday, October 9, followed by the 27th meeting of ARIN, the American Registry of Internet Numbers. DNSSEC-related sessions on the NANOG program include:

• A DNSSEC tutorial on Sunday, October 9, led by Verisign’s Matt Larson; and
• A tutorial titled “You can’t do that with nslookup: DNS(sec) troubleshooting,” led by Michael Sinatra of the University of California, Berkeley.