Twitter post by @miekg

SIDN has announced that it has implemented DNSSEC in .nl, the world’s third-largest country code top-level domain. The announcement describes next steps:

Early [in] October, SIDN will be offering registrants who have experience of using DNSSEC the opportunity to provide ‘trust anchors’ for their domain names. The small number of anchors involved will then be added to the .nl zone file by SIDN. This Friends and Fans Programme will continue until it is possible to secure all .nl domain names using DNSSEC. SIDN intends to pursue the gradual further rollout of DNSSEC with a view to guaranteeing the availability of the .nl zone. The whole process should be complete before the end of 2011.

SIDN CEO Roelof Meijer said, “After .org, ours is the second biggest zone to successfully implement DNSSEC. We waited until the root had been signed before going ahead, so that no interim solutions were needed and we could sign the entire chain in one go. We felt that this was the most efficient and secure way of bringing DNSSEC to the .nl zone.”

The Xlerance worldwide map of DNSSEC deployment has been updated to reflect the news.

DNS BE, which manages 1 million domain names, announced it has begun supporting DNSSEC in Belgium’s .be domain this week.  A test bed has been launched, and registrars will be able to register DNSSEC-supported domain names in October.

SC Magazine reports that a phased rollout of DNSSEC will begin in Australia next month. From the article:

Next month, regulator auDA (the .au Domain Administration) and its wholesale domain name provider AusRegistry will phase in the Domain Name Security (DNSSEC) protocol across Australian domain names such as those ending in com.au and net.au.  The regulator said the five-stage process will gradually bring domain name owners into the fold as it tests systems over coming months, before rolling out the technology to the mass market.

D-Link is boosting router security, announcing it is “the first in the industry to enhance its router security to a higher level of protection by incorporating both CAPTCHA and DNSSEC to guard against hacking, worms, viruses and other malicious Web attacks.”  From the announcement:

“Unlike other brands, the majority of currently shipping D-Link routers are more difficult to be compromised due to our advanced set of security features. We’re excited to be the first in the market to announce we have taken the initiative to implement both CAPTCHA and DNSSEC into our routers, thus providing yet another layer of security, and we’ll continue to provide our users with the latest in advanced security technologies,” said A.J. Wang, chief technology officer, D-Link.

DNSSEC, CAPTCHA and IPv6 features are available on “most currently shipping D-Link’s routers, with more being updated. Please consult www.dlink.com for availability of firmware updates,” the company advises.

In an effort to ” help United States government agencies simplify compliance with the Office of Management and Budget (OMB) mandate to adopt the DNSSEC standard,” Akamai Technologies, Inc., has announced support for DNSSEC, available immediately.

Two options will be available:  “sign and serve” or “serve only.”  From the announcement:

For example, customers that want to fully outsource their key management process can select the “sign and serve” option, which is as simple as checking a box on the Akamai EdgeControl portal. Alternatively, customers that prefer to manage their signing independently can select the “serve only” option.  Additionally, Akamai believes that with its DNSSEC support in place agencies can meet the OMB mandate even if the primary name server (master name server) is not DNSSEC ready.

Akamai Vice President of Sales Thomas Ruff noted “we believe [DNSSEC] is gaining traction with .gov and .org signed and with the announcement to fully deploy DNSSEC by the Root Zone operators.”  For more information about Akamai’s Enhanced DNS service and the new DNSSEC support offering, go here.

A new (now February 14, 2012) Internet draft of DNSSEC Operational Practices, Version 2 has been posted.  A working document of the Internet Engineering Task Force (IETF), the document is aimed at zone administrators deploying DNSSEC, and “discusses operational aspects of using keys and signatures in the DNS…issues of key generation, key storage, signature generation, key rollover, and related policies.”  Once approved, it will make obsolete RFC 4641.

EDUCAUSE, the association for information technology in higher education, and VeriSign announced today that DNSSEC has been deployed in the .edu domain.  EDUCAUSE manages .edu under a cooperative agreement with the U.S. Department of Commerce. scope of the internet. 

EDUCAUSE President and CEO Diana Oblinger said, “Dating from the creation of ARPANET through the present day, the higher education technology community has played a leading role in the development of the Internet as a platform for learning, discovery, and engagement. We have been happy to continue that role by being a lead partner in the launch of DNSSEC.”

In this news conference last week at Black Hat, ICANN CEO Rod Beckstrom joined Recursion Ventures chief scientist Dan Kaminsky  and Mark McLaughlin, President and CEO of Verisign to discuss the collaboration leading to deployment of DNSSEC.  Beckstrom noted:

A cyber criminal can steal your money or your personal data without you even knowing it. Cyber crime doesn’t respect national boundaries…This upgrade will help disrupt the plans of criminals around the world who hope to exploit this crucial part of the Internet infrastructure to steal from unsuspecting people.

(See a related news release here.)

Black Hat also included a panel on DNS vulnerabilities and risk management in which Beckstrom and Kaminsky joined speakers  Sandy Wilbourn, Vice President Engineering, Nominum; Ken Silva, Senior Vice President & Chief Technology Officer, VeriSign; Mark Weatherford, Vice President & Chief Security Officer, NERC; video of the session is below.

DNSSEC doesn’t typically spur flights of fancy.  But this week, trusted key representatives–individuals selected to hold parts of the DNSSEC root key during recent key signing key ceremonies held by ICANN in preparation for signing the root zone–have sparked the imaginations of both high-tech and popular media. Here’s a roundup of recent coverage focusing on the individuals that hold the keys:

• PopSci notes “We’re imagining a large medieval chamber filled with techno-religious imagery where these knights cyber must simultaneously turn hybrid thumb drive/skeleton keys in a massive router, filling the room with the blinking light of connectivity….In reality, it’s not so dramatic. The keys are actually smartcards that each contain parts of the DNSSEC root key, which could be thought of as the master key to the whole scheme. But it is interesting to know that there is a group of individuals out there that hold actual, physical keys that would reboot the Internet as we know it.”  The article points to this Community DNS video explaining how the keys are made; CDNS CEO Paul Kane is one of the key holders.
• Gawker pictures it this way: “This is what happens when you let nerds run everything: The whole world turns into an extended Dungeons and Dragons campaign. Seven specially-chosen people are now members of a “chain of trust”; in the event of a catastrophe—like a terrorist attack, or Saruman joining forces with Sauron, or Barack Obama turning off the whole internet—five members of The Fellowship of the Internet must meet in a secure location ‘to recover the master key’ and summon Captain Planet .”  The article goes on to name the seven “keymasters” and describe the process, but notes, “it’s more fun to pretend the other stuff.”
• The Next Web called the group “the real-life Fellowship of the Ring that can ‘reboot’ the Internet” and notes, “Unlike the Fellowship of the Ring, there’s a backup plan. If the keyholders can’t travel to the location required in the event of a major incident, a set of keycards are securely held on site.”
• Mainstream media BBC and the Bath Chronicle played it straight, profiling Kane as one who holds “the keys to the Internet.”

PC World’s “What to Watch at Black Hat and Defcon” article points to DNSSEC sessions at Black Hat, which starts today in Las Vegas.  The article notes:

Two years ago, Dan Kaminsky made headlines worldwide by uncovering a flaw in the DNS (Domain Name System) used to look up the addresses of computers on the Internet. This year, Kaminsky is speaking again at Black Hat — this time on Web security tools. But he’s also been tapped to participate in a press conference where he and representatives from ICANN (Internet Corporation For Assigned Names and Numbers) and VeriSign will discuss Domain Name System Security Extensions (DNSSEC) — a new way of doing DNS that provides a level of confidence that computers connected to the Internet are what they actually claim to be….”We’ve been looking at how DNSSEC is going to address not only DNS vulnerabilities, but some of the core vulnerabilities we have in security,” Kaminsky said in an interview. “We’re not going to solve all of those problems with DNSSEC… but there’s an entire class of authentication vulnerabilities that DNSSEC does address.”