Comcast has begun migrating customers to DNS servers using DNSSEC protections as part of its production roll-out of DNSSEC. Comcast executive director for Internet systems Jason Livingood tells us, “So far this year, our production deployment trial has been opt-in only.  Starting [this week], customer DNS IP addresses will start to change via DHCP lease updates.”  The announcement notes that:

Best of all, customers will not need to take any action and should not notice any changes to their service, though behind-the-scenes that service will be more secure. As the first major Internet Service Provider (ISP) to do so in the United States, our customers are among the first to be getting these new security capabilities, which is part of our continuing push for a more secure Internet experience for both our customers as well as the global Internet.

Livingood also notes that, as part of the roll-out, “we have deliberately broken DNSSEC for a domain so we and others
can test what happens when validation breaks.”  The results are here.

Comcast also has made available a DNSSEC public service announcement for its customers, featuring G4 Network’s “Attack of the Show” co-host Kevin Pereira:

DNSviz, a new tool from Sandia National Laboratories, aims to help users visualize the status of a DNS zone, showing DNSSEC authentication chain for a particular domain name and its resolution path in the DNS namespace. Designed as an aid in understanding and solving problems in DNSSEC deployment, the tool also lists configuration errors it detects.  (Above, part of the analysis for dnssec-deployment.org.)  Feedback is encouraged for the new tool.

Comcast has announced it will contribute $15,000 to an NLnet Foundation grant program designed to help open-source developers add DNSSEC features to their applications, in an effort to “help fund some developers to start working on DNSSEC-aware applications, and motivate others to do the same.”

NLnet describes the vision behind the fund this way:

Of course it is already a big win that the chain can henceforth be trusted up to the point where providers relay the answer to the client. But this is not good enough for perfectly normal use such as using a (potentially hostile) public wifi hotspot: for end users to fully benefit from DNSSEC in such cases, the software on the end user side should be able to validate DNSSEC signatures as well – especially on sensitive data like digital security keys and certificates. Most (but not all) applications depend on higher level services to handle DNS, which means that these service stacks need to be updated in all operating systems. Specific client software using their own built-in DNS services, like realtime communication software (e.g. SIP, XMPP), messaging servers and browsers, also will need to be adapted.

Comcast’s executive director for Internet systems, Jason Livingood, noted:

As Comcast and other ISPs implement DNSSEC, and domain owners start to cryptographically sign their domains, we can see a point in the near future where applications may start to show end users some indication that a domain has been secured with DNSSEC. This may be much like a web browser shows a special lock icon when a user visits a website secured with SSL.

Go here for more information or to apply for a grant.

Five Caribbean top-level domains have successfully deployed DNSSEC, including .ag (Antigua and Barbuda), .bz (Belize), .hn (Honduras), .lc (Saint Lucia), and .vc (Saint Vincent and the Grenadines).  The five TLDs are managed by Afilias.

ICANN research also offers this Venn diagram with updated statistics on top-level domain deployment of DNSSEC.  As of this writing, it reports:

dnssec.net has published the views of nine top executives and organizations on “DNSSEC Advantage: Reasons for deploying DNSSEC.”  Each viewpoint includes a look at the significance of steps leading toward deployment and asks questions about what lies in the future.

The series includes contributions from:

• Jeremy Hitchcock,CEO, Dyn, Inc.
• Warren Adelman, President and Chief Operating Officer, The GoDaddy Group
• Olaf Kolkman, Director, NLNet Labs
• Roland van Rijswijk, Technical Product Manager, SURFnet
• Paul Vixie, President, Internet Systems Consortium
• Anne-Marie Eklund Lowinder, Quality and Security Manager, .SE
• Mark Beckett, Vice President of Marketing, Secure64 Software Corp.
• Ron Aitchison, Author, Pro DNS and BIND
• European Network and Infomation Security Agency (ENISA)

Duane Wessels of VeriSign, Wes Hardaker of SPARTA/Cobham, and ICANN’s Mehmet Akcin presented on the signing of the root zone and updates on what’s happened since the root signing, at NANOG 50, the North American Network Operators’ Group conference in Miami this week.  Attendees heard about “benefits that can be gained from making applications DNSSEC-capable and some of the DNSSEC-capable applications that are available today.”  You can find all the DNS and DNSSEC presentations from NANOG 50 here.

EDUCAUSE Quarterly has published “Helping Secure the Internet with DNSSEC,” detailing the deployment experience within the lsu.edu domain at Louisiana State University. Authors John C. Borne, the university’s chief IT security and policy and LSU manager Allie Hopkins describe the university’s process and considerations in testing and deploying DNSSEC, and conclude:

From LSU’s perspective, we would very much like to see it grow and succeed through a rapid, yet voluntary, sequence of adoption. It’s a pretty solid bet that, whether by regulation or incentive, organizations will feel more pressure from governmental, standards, and industry groups attempting to induce adoption of DNSSEC. As more DNSSEC-aware appliances and applications come online, popular demand may combine with the influence of these groups to make DNSSEC nearly ubiquitous and allow it to deliver its maximum benefit. In adopting DNSSEC at LSU, we have ignored its imperfections. What other solution has a better chance of success? Despite weaknesses, or the many things it will not protect us from, DNSSEC still provides good protection and, more importantly, a basis upon which to build improved security for the Internet.

EDUCAUSE, a nonprofit organization, works to advance Internet issues within the U.S. higher education community.

• Germany-based InterNetX announced it now offers DNSSEC for the .ch (Switzerland) and .li (Lichtenstein) domains; it is the first partner of SWITCH, a provider of internet services for universities and users, to do so.
• Denmark’s .dk country-code top-level domain has deployed DNSSEC (announcement in Danish).
• The U.S. federal government announced new IPv6 requirements for U.S. federal agencies, which must “run native IPv6 on their Web, email, ISP, and DNS servers and services by the end of fiscal year 2012, and their internal client applications by fiscal year 2014,” according to Dark Reading.
• Nominet, which manages .uk, issued this incident report on the accidental release of a new Zone-signing-key into its live zone file. The report includes a diagnosis of what occurred and procedures being put in place to avoid a similiar incident in the future.
• Government Computer News reported on a new study on DNSSEC deployment by U.S. federal agencies which showed slow adoption of DNSSEC. Conducted for the Internet security company Internet Identity, the study “found that 38 percent of the federal domains tested had been digitally signed using the DNSSEC by mid-September.”
• Patches have been issued by the Internet Systems Consortium (ISC) for a DNSSEC-validation vulnerability found in “the widely deployed BIND DNS server’s DNSSEC implementation,” according to eSecurity Planet. Infoblox vice president Cricket Liu said the vulnerability has a low severity rating from ISC and network administrators should simply upgrade to the latest version of BIND to achieve the needed protection.

Afilias Executive Vice President and Chief Technology Officer Ram Mohan recently shared what every CIO should do about DNS security, on SecurityWeek.com. From the article:

Companies may spend millions creating and promoting their brand in the offline world, forgetting that on the Internet their domain name is their brand. It’s often the case that it is only after a company’s DNS has come under attack, or after it has suffered downtime with a non-malicious cause, that CIOs start thinking about DNS strategically….When it comes to critical infrastructure such as DNS, the first step for CIOs is recognizing the fact that a company’s domain name is not only the online ambassador for its brand, but also the glue that holds the whole Internet-based business together. From there, the appropriate strategic decisions will surely follow.

AFNIC, the French registry, has kicked off DNSSEC deployment with a series of activities this month. It announced it has DNSSEC-signed the country-code top-level domains (ccTLDs) .fr and .re for France and the Reunion Islands, and that it has published the DNSSEC keys for .yt and .tf in the root zone, the ccTLDs for Mayotte and the Territory of the French Southern and Antarctic Lands, respectively.

This week, beginning on September 20, AFNIC will release version 3 of “ZoneCheck,” its DNS configuration test tool, a free software tool that integrates DNSSEC configuration tests. It is available on www.zonecheck.fr.  You can read AFNIC’s issue paper on DNSSEC here.