Top-level domains for  Gibraltar (.gi), Mongolia (.mn), and the Seychelles (.sc) are now DNSSEC-enabled, Afilias has announced.  The move is part of “Project Safeguard” at Afilias, which now has 11 secured TLDs on its registry platform.

SIDN, manager of The Netherlands’ .nl zone and ENUM NL, has published the public key for .nl in the root and created a “Friends & Fans” program to encourage DNSSEC deployment and gain practical experience with the security extensions.

DNSSEC-experienced registrants now have “the option of publishing the ‘public keys’ for a small number of domain names,” and including them in the .nl zone file, beginning with sidn.nl, gigaport.nl and surfnet.nl.

SIDN CEO Roelof Meijer noted:

The Friends and Fans program is the next step towards the introduction of DNSSEC for all .nl domain names. That goal should be achieved by the end 2011. Over the last few months, we have seen market interest in DNSSEC really start to take off: about 60 TLDs (top-level domains) are now signed, compared with just 20 at the start of the year. In March 2011, .com is going to be signed as well, and we fully anticipate still greater interest in DNSSEC before the year is out.

At BlackHat in Abu Dhabi yesterday, security researcher Dan Kaminsky released “Phreebird,”  a free toolkit designed to show organizations how easy DNSSEC is to implement by letting them try it out.  Dark Reading notes:

The goal is to show how DNSSEC could be used to “bootstrap” trust — a.k.a. authentication — across organizations, he says, authenticating clients, business partners, customers, contractors, and other groups with one another….Kaminsky hopes to dispel concerns that DNSSEC will be complex, disruptive, and expensive to deploy in organizations. “Application developers don’t want to be cryptography experts,” Kaminsky says. “They just want the key … and to move on.”

You can find the new toolkit on the BlackHat website.

 IETF convened in Beijing, China, and DNSSEC’s deployment in Asian nations took center stage, including these steps forward:

• Afilias will collaborate with .asia to bring DNSSEC implementation to the domain. The DotAsia Organization oversees the “.Asia” top-level Internet domain name, and is a regional consortium that includes .cn (China), .jp (Japan), .kr (Korea), .in (India), .nz (New Zealand), and .ph (Philippines),  as well as the regional Internet organizations APNIC, APNG, APCERT, PAN and APTLD.
• DNSSEC is enabled for India’s .in top-level domain, Afilias announced.  The .in TLD represents more than 700,000 domains.
• AFNIC announced that the .wf top-level domain for the South Pacific island territory Wallis and Futuna has been signed with DNSSEC.

In other news, the registry for .eu top level domains (TLDs) EURid reports that 87% of the world’s TLD internet operators have yet to deploy DNSSEC.

ICANN’s Interim Trust Anchor Repository (ITAR), designed to help move DNSSEC deployment forward before the root zone was signed, is now being retired.  As of November 4, no new listings will be accepted. Existing listing are expected to be removed around November 18, and the entire service will stop in January 2011, ICANN announced.

Dozens of early DNSSEC-adopting top-level domain operators were able to use the ITAR to publish their trust anchor in absence of a signed DNS root zone. ICANN notes that the ITAR supported more than 100 such listing requests during its lifetime.

VeriSign has shared its plans for deploying DNSSEC in the .net and .com operational community. Matt Larsen of VeriSign issued the following schedules today:

The .net DNSSEC deployment consists of the following major milestones:

September 25, 2010: The .net registry system was upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.net. These DS records will not be published in the .net zone until
the .net zone is actually signed. Each registrar will implement
support for DNSSEC on its own schedule, and some registrars might be
accepting DS records for .net domains now.

October 29, 2010: A deliberately unvalidatable .net zone will be
published. Following the successful use of this technique with the
root DNSSEC deployment, VeriSign will publish a signed .net zone with
the key material deliberately obscured so that it cannot be used for
validation. Any DS records for .net domains that have been submitted
by registrars will be published in the deliberately unvalidatable
zone.

December 9, 2010: The .net key material will be unobscured and the
.net zone will be usable for DNSSEC validation. DS records for .net
will appear in the root zone shortly thereafter.

The .com DNSSEC deployment will occur in the first quarter of 2011 and
will consist of the following major milestones:

February, 2011: The .com registry system will be upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.com. These DS records will not be published in the .com zone until
the .com zone is actually signed.

March, 2011: A deliberately unvalidatable .com zone will be published.
Any DS records for .com that have been submitted by registrars will be
published in the deliberately unvalidatable zone.

March, 2011: The .com key material will be unobscured and the .com
zone will be usable for DNSSEC validation. DS records for .com will
appear in the root zone shortly thereafter.

The trinity:~shyam$: Inside Mozilla IT blog shared this look at “Implementing DNSSEC for mozilla.org,” noting that DNSSEC deployment was an internal goal last quarter.  Author Shyam “is the only person on the Mozilla IT team outside the USA,” and walks readers through nine steps of deployment with his tips and advice. He notes:

I’ve never had a chance to work hands on with DNS in a large setup…it has always been “managed” DNS and that was never much of a challenge. DNSSEC was an awesome goal to work on and I had a lot of fun working on it. At first sight, DNSSEC is a little daunting – fairly new technology with a gazillion specs and RFCs but once you get a hang of the concepts, it’s easy to work with.

The author plans on a “starting from scratch to DNSSEC ready” article next.

“Now is an opportune time for applications to begin to take advantage of some of the benefits that DNSSEC provides.”  That’s the message in a plenary session for app developers on DNSSEC at AppSec DC 2010,  a conference sponsored by The Open Web Application Security Project (OWASP) next month, November 10 and 11, in Washington, DC. 

Initiative partner Suresh Krishnaswamy of Sparta, Inc. will lead this November 10 session on “Providing application-level assurance through DNSSEC.”  It will include information on:

• A Firefox browser extension that supports various DNSSEC indicators;
• An API that has been developed and the modifications made to the application user interface;
• Encouragement for application developers to consider DNS security implications in their Internet and web applications.

Go here to register and learn more about the conference.

The Sandia National Lab DNS visualization tool, DNSViz, now has a new contact form through which you can share feedback on the tool.  Share your comments at http://dnsviz.net/contact/.

.ORG, the Public Interest Registry, has launched a “Practice safe DNS” campaign as part of the U.S. National Cyber Security Awareness Month, with the goal to “serve as a key resource for domain holders, registrars, web developers and IT professionals to learn how they can respectively play a increasingly relevant role in providing a safer and more secure Internet.”

The site includes video testimonials from Vint Cerf of Google, Initiative partner Steve Crocker of Shinkuro, Inc., Jim Galvin and Ram Mohan of Afilias, Dan Kaminsky of Recursion, and Cricket Liu, of Infoblox.  The campaign also is active on Facebook and Twitter.  The introductory video appears above.