Japan Registry Services (JPRS) announced January 16 that it has deployed DNSSEC in the .jp country-code top-level domain. The announcement outlined the registry’s deployment process:

JPRS considers that DNSSEC can effectively prevent the security threats caused by bogus DNS responses. Based on this understanding, it has introduced the specifications in Japan and performed testbeds and demonstrations in cooperation with the DNS operators at home and abroad with an aim to deploy DNSSEC. On October 17, 2010, JPRS started signing the JP zone and registered the key information (DS resource record) of the JP zone in the root on December 10, 2010. After confirming that the JP zone was properly validated by the root zone key as a trust point, and that existing DNS infrastructures were not adversely affected, JPRS has completed the deployment of DNSSEC in the JP domain name service this time.

Founder and president of the nonprofit Internet Systems Consortium (ISC) Paul Vixie will now be chairman and chief scientist of the company, with Barry Greene succeeding him as president. In making the announcement, Vixie cited the importance of deploying DNSSEC:

There are two huge technical crises arising simultaneously. The Internet is running out of address space and at the same time the level of criminal activity is increasing sharply. It’s the perfect storm. We need to deploy IPv6 and DNSSEC more or less simultaneously, and we need to develop and deploy, quickly, new technologies and new methodologies to measure and understand what is happening out there. I need to turn my full attention to these pressing and difficult problems…

PowerDNS now offers PowerDNSSEC, an online signing tool that is ready for trial in test zones.  Bert Hubert of Netherlabs Computer Consulting BV notes that “PowerDNS is carrier-grade supported open source. We expect our DNSSEC implementation to be suitable for deployment soonish. PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight  changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts.”

• NSEC
• NSEC3 in ordered mode (pre-hashed records)
• NSEC3 in narrow mode (unmodified records)
• (as discussed here earlier in the week)
• Being a ‘signing-slave’ for legacy hidden master
• Zone transfers (for NSEC)
• Import of ‘standard’ private keys from BIND/NSD
• Export of ‘standard’ private keys
• RSASHA1
• “Pure” PostgreSQL, SQLite3 & MySQL operations
• Hybrid BIND/PostgreSQL/SQLite3/MySQL operation

You can access documentation for PowerDNSSEC and  use a wiki to learn more about PowerDNSSEC configuration, help and known issues.

ICANN has released findings from its August 2010 survey of national computer security incident response teams or CSIRTs.  Surveys were distributed to 55 CSIRTs with national responsibility, via one of four channels: the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) (distributed worldwide), the European Network and Information Security Agency (ENISA, covering the European region), APCERT (covering the Asia-Pacific region) and the Organization of Islamic Conference-CERT secretariat (OIC-CERT, covering Islamic countries) to 55 CSIRTs with national responsibility.  The full report notes that “the survey results are not comprehensive enough data to draw any broad conclusions.”

The U.S. Department of Homeland Security is mounting an effort similar to this initiative promoting DNSSEC deployment, this time for the Internet’s routing protocol, border gateway patrol, or BGP.  Similarities between the two efforts were noted in an interview with Network World, Douglas Maughan, Ph.D., who directs the cybersecurity division in the DHS Science and Technology Directorate. Of DNSSEC adoption, he said:

I’m optimistic. Over 60 zones are signed. The key thing in my mind was the result of .org’s operational experience. They saw minimal impact of DNSSEC to their operational performance. Everybody was claiming that the impact would be a 30% to 50% performance hit, but .org will tell you that’s not the case. We’ve been able to shake out any performance concerns that the naysayers had and show them that it works. Now we’re getting .net and .com signed. We’re starting to have discussions with CISOs of major companies like PayPal and Google to say that now that .com is being signed, what are your plans? We’ve made a lot of progress this year. We signed the root, and some said that would never happen.

Maughan also noted that he would encourate corporate CIOs to “to get on the DNSSEC bandwagon as soon as they can, especially if they are a dot-com. This becomes a way for them to provide another layer of security for their own infrastructure and for the people who use their infrastructure.”

Government Computer News reports that the U.S. financial services industry will team up with the U.S. Department of Homeland Security and the U.S. National Institute of Standards and Technology on cybersecurity research and development, with the goal of speeding commercialization of cybersecurity research in a critical sector.  The move could ease DNSSEC deployment with the creation of new testbeds and other efforts.

A White House blog post by Aneesh Chopra, U.S. chief technology officer, and Howard A. Schmidt, cybersecurity coordinator and special assistant to the President, notes that Financial Services Sector Coordinating Council (FSSCC)’s ” participants include banks, credit unions, insurance companies, payment services, trading firms, and others…[It] supports research and development initiatives to protect the physical and electronic infrastructure of the banking and finance sector and to protect its customers by enhancing the sector’s resilience and integrity.”

Both NIST and the DHS Science & Technology Directorate are partners in the DNSSEC Deployment Coordination Initiative, and GCN notes that “NIST also has worked with DHS in establishing testbeds for advanced networking tools and security technologies such as the DNS Security Extensions (DNSSEC) and Border Gateway Protocol Security. This early work could speed the establishment of a test environment for financial services, Romine said. “A lot of the groundwork has been laid.” Charles Romine is the acting associate director for laboratory programs at NIST.

Read the full memorandum of understanding here.

VeriSign announced today that DNSSEC has been deployed in the .net zone, noting it the zone is the:

…largest yet to be DNSSEC enabled, with more than 13 million domain name registrations worldwide. The .net signing also represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions.

The announcement came at the end of the ICANN meeting in Cartagena, which featured DNSSEC in the president’s opening statement, a DNSSEC for Beginners workshop and a full day session on deployment in the region and around the world.

VeriSign expects to sign the .com zone in the first quarter of 2011.  During the ICANN meeting this week, VeriSign executives pointed to a Forrester Research study–expected to be released next week–that they say demonstrates increasing demand for DNSSEC in enterprises, fueled by higher customer demand.

DNSSEC once again plays a major role at this week’s ICANN meeting, taking place in Cartagena de Indias from December 5-10.

ICANN President Rod Beckstrom gave a report that opened the meeting, and noted:

Thanks to community efforts, DNSSEC is being deployed aggressively around the world. Fifty TLDs have been signed and are in the root, and at least 15 more are in the works. A number of new registry operators are implementing DNSSEC in top level domain zones. .net will be ready for DNSSEC validation this week – a major milestone – and .com is on track for validation by March 2011, when we meet in San Francisco for the 40th ICANN meeting.

Yesterday, a workshop on DNSSEC for Beginners featured speakers from VeriSign, Nominet and ISC, as well as Sparta’s Russ Mundy, a partner in the DNSSEC Deployment Coordination Initiative.   Go to the link for resources from the workshop, and listen to an MP3 audiocast here.

Noting that “we are now entering an exciting phase where DNSSEC can become an operational reality for everyone,” Initiative partners and a host of speakers will convene on Wednesday for an all-day DNSSEC Workshop.  Panels and presentations in this workshop will cover:

• DNSSEC adoption issues for registries and registrars and successful marketing approaches for DNSSEC.
• The diversity of approaches for implementing DNSSEC across both registrars and registries, with a focus on how the size of each organization affects the tools and technologies deployed.
• An overview of open-source DNSSEC tools.
• Presentations on the uptake of DNSSEC validating resolvers from a group of leading ISPs.
• Updates on regional and worldwide DNSSEC deployment activities.

Featured will be speakers from the Initiative and from Afilias, AusRegistry, Comcast, CZ.NIC, GoDaddy, ICANN, Internet Infrastructure Foundation (.SE), Internet Systems Corporation, LACTLD, Monster, NIC.br, Nominet, Public Interest Registry,  SIDN, SURFNet, and VeriSign. Remote participation can be accessed through this virtual meeting room. Links to presentations are already available, and transcripts will be available later this week at the main workshop link noted above.

VeriSign announced that it will offer a new in-the-cloud DNSSEC signing service to registrars to help them sign domain names and manage keys without investing in additional equipment and resources.  Pat Kane, Assistant General Manager of Naming Services at VeriSign, noted, “we want to do everything we can to encourage the adoption of DNSSEC, which is an essential tool for securing the Internet.”

The new service provides the initial cryptographic signing, routine re-signing of zone resource records and management of key rollover schedules and zone re-signing.  An evaluation period will be offered to VeriSign’s registrar partners to review the service; the offer ends at the end of 2011.

Japan’s registry service, JPRS, has announced it will introduce DNSSEC in .jp domain name services in mid-January 2011.  It noted:

JPRS regards DNSSEC as the most effective and feasible current solution against the security threats caused by frauds of DNS responses. Based on this view, JPRS has researched and developed the method of implementing DNSSEC into large-scale zones, while discussing operational technology and roadmap toward diffusion through collaboration with DNS-related parties from home and abroad.

At present, we are conducting tests and reviews of specifications in order to implement DNSSEC, as well as performing technological evaluation with a wide range of DNS-related parties listed below.

In addition to deploying DNSSEC in .jp and the domain name services it provides, JPRS will be “conducting promotional and educational activities and providing information to different DNS-related parties categorized as follows.”