Whither DNSCurve? Vixie answers.
Posted by Denise Graveline in Uncategorized on March 5, 2010
Over at the Internet Systems Consortium blog, Paul Vixie has offered this post, Whither DNSCurve? to answer the question he frequently gets: “what is DNSCurve and what’s ISC’s position on it given our long involvement in DNSSEC?” He concludes with this summation:
I want provably correct DNS content to be universally available. Not just for me but for the entire population of the Internet. I want to stamp out all forms of DNS intermediation whether by recursive nameserver operators or nation-states or hackers. Because DNSSEC can do this, ISC has invested a lot of time and money over the last dozen years helping to develop DNSSEC. Because DNSCurve does not do this, and because the problems DNSCurve actually does solve are pretty well solved by UDP source port randomization and will be entirely eradicated by DNSSEC, ISC is not investing in DNSCurve at all.
HOMEGATE workshop set for April 20-21 in London
Posted by Denise Graveline in Uncategorized on March 2, 2010
HOMEGATE, the Broadband Home Gateway birds-of-a-feather group (BoF) formed at the 76th IETF meeting, will hold a workshop in London April 20-21, and is asking would-be participants to indicate their likely attendance here so that arrangements can be made for a venue. Remote options for participating are promised, so the early RSVP applies to those intending to attend in person.
The group focuses on access to broadband Internet services, which use networking technology in the home, small office/home office (SOHO) or small to medium business (SMB). The group’s draft charter has been focused and coordinated with other Standards Development Organizations “to ensure that the planned work is complimentary and not overlapping with their respective work.”
The effort’s wiki notes:
….many serious, long-term problems face users of home gateways today. At the root of many of these problems is the fact that device manufacturers, and/or the organizations that specify requirements for such devices, are not certain which IETF standards and best current practices should be supported, and when/why that support is needed. As a result of this, millions of devices are being deployed every year, which do not work with important IETF protocols, standards, and best practices that are central to the future of the Internet.
DNSSEC is among the IETF standards to be included in the group’s deliberations. Sign up here for the group’s mailing list for further announcements.
Signing of .uk begins
Posted by Denise Graveline in Uncategorized on March 1, 2010
Nominet has begun signing the .uk country code top-level domain this week, a process expected to conclude March 8. According to the article in PC Advisor, “Nominet will begin signing ‘.co.uk’ – comprising more than 8 million websites – later this year, working with any entity that operates a nameserver, as their software will have to be upgraded for DNSSEC.”
Comcast to deploy DNSSEC by 1st quarter 2011
Posted by Denise Graveline in Uncategorized on February 23, 2010
After two years of testing DNSSEC, Comcast — the largest provider of cable services in the U.S., with 23.6 million cable customers, 15.9 million high-speed Internet customers and 7.6 million voice customers — announced it is starting a trial today and plans to implement DNSSEC by the first quarter of 2011 or sooner. In a blog post, Comcast noted:
We plan to implement DNSSEC for the websites we manage, such as comcast.com, comcast.net and xfinity.com, by the first quarter of 2011, if not sooner. By the end of 2011, we plan to implement DNSSEC validation for all of our customers….If you don’t want to wait until 2011, you can participate in our DNSSEC customer trial, which starts today. Opt-in by changing your DNS server IP addresses to 75.75.75.75 and 75.75.76.76 (we’ll be adding IPv6 addresses soon). The servers supporting this are deployed nationally in the same locations as our other DNS servers that millions of customers use everyday.
You can find FAQs on the Comcast trial here.
Free registration available for FOSE, DNSSEC session
Posted by Denise Graveline in Uncategorized on February 14, 2010
FOSE, the federal information technology conference and expo, offers free registration to federal employees and military personnel. Don’t fit into those categories? The DNSSEC Deployment Coordination Initiative can offer you free registration at this special link.
You can see the full program for the March 24 daylong session “What’s Next in DNSSEC,” sponsored by the Initiative, here. Featured will be updates on U.S. federal government DNSSEC deployment and next steps; state, municipal and public-private network deployment; perspectives on DNSSEC in the commercial, educational and nonprofit sector domains; and lessons learned from deployment across the federal system. The program is free but requires pre-registration.
Internet 2 Joint Techs meeting features campus DNSSEC
Posted by Denise Graveline in Uncategorized on February 9, 2010
Shumon Huque of the University of Pennsylvania reports that the winter ESCC/Internet 2 Joint Techs meeting featured these talks focused on DNSSEC deployment:
- In a talk on the .EDU DNSSEC testbed, Huque and Larry Blunk of Merit Network reviewed DNSSEC plans and features for the .EDU top-level domain, managed by Educause; results of the domain’s DNSSEC testbed conducted by VeriSign and Educause; and how .EDU domain holders will interact with the DNSSEC enabled .EDU registration system.
- Michael Sinatra of the University of California, Berkeley, discussed DNSSEC on Campus, focusing on “real-world experience” based on UC Berkeley’s work signing zones and validating those of others, and participating in a DNSSEC testbed.
- The DNSSEC Rollout Experiences at U.S. Department of Energy National Labs panel included representatives from the Ames Laboratory; the Argonne, Brookhaven and Oak Ridge National Laboratories; and the Energy Sciences Network (ES.net), discussing DNSSEC deployment at national labs in the wake of U.S. federal government requirements.
The meeting took place in Salt Lake City, Utah, January 31-February 2.
RIPE Labs measures DNS transfer size
Posted by Denise Graveline in Uncategorized on February 8, 2010
RIPE Labs has reported the initial results from an effort to measure DNS transfer size, to determine whether larger DNSSEC responses would pose problems once the K-root begins to provide DNSSEC responses to requesting resolvers, and whether the larger responses would reach the resolvers. From the article: “The good news is that the vast majority of measurements yield transfer sizes that will fit current DNSSEC answers from root name servers,” although “some resolvers that could experience time-outs and delays due to misconfigurations and middleware.”
Visual inventories track U.S., Sweden deployment
Posted by Denise Graveline in Uncategorized on February 8, 2010
As DNSSEC deployment rolls out in government domains in the U.S. and elsewhere, we’re seeing more lists that visually display the status of deployment within a top-level domain. Here are some recent examples:
- From the U.S. .GOV TLD: Using a list of domain names taken from the web sites catalogued in the USA.gov website, Initiative partner Scott Rose of the U.S. National Institute of Standards and Technology wrote a script that queried which had a secure link from .GOV. The results, shown here, note that the “U.S. Federal Government maintains some domain names outside of the .gov gTLD. Likewise, there are state, local, and sovereign nation delegations found in .gov that are not required to deploy DNSSEC, but may deploy voluntarily.” Signed U.S. state domains include Vermont’s vermont.gov, vermonttreasurer.gov, and healthvermont.gov, the state’s health department; Idaho’s idaho.gov and idahobyways.gov from the state’s transportation department; Louisiana‘s lacoast.gov, from the Louisiana Coastal Wetlands Conservation and Restoration Task Force; the Tennessee Valley Authority’s tva.gov; Utah Fire Info, a federal-state partnership; and Virginia.gov.
- From Sweden: Two separate pages display DNSSEC deployment progress among municipal domains and in public sector agencies there, with hundreds of sites listed.
DNSSEC overhead examined
Posted by Denise Graveline in Uncategorized on February 3, 2010
Cricket Liu of Infoblox has posted a second article in his series on DNSSEC overhead. He notes:
…I’ve recommended that organizations deploying DNSSEC watch the CPU load on their recursive name servers carefully: As the proportion of responses that are signed increases, so will the load on their recursors. Ultimately, though, the ever-increasing speed of processors and networks will trump the burden DNSSEC adds. Years from now – assuming DNSSEC becomes widely deployed – we’ll look back at our concerns about the overhead of DNSSEC and chuckle. I hope.
Deployment watch: SWITCH turns on DNSSEC at Domain Pulse meeting
Posted by Denise Graveline in Uncategorized on February 3, 2010
Circle ID reports that SWITCH, the registry for Switzerland’s .CH and .LI, was enabled yesterday at the Domain Pulse conference in Luzern. From the article:
SWITCH became the third ccTLD registry to enable DNSSEC giving registrants of .CH domain names added security following .SE (Sweden) and .CZ (Czech Republic)….At the Domain Pulse conference, Urs Eppenberger of SWITCH and Marc Furrer of the Swiss Federal Communications Commission (ComCom) enabled DNSSEC….”I am particularly proud of the fact that Switzerland is one of the first countries in Europe to introduce DNSSEC. This now guarantees security in the internet” said a delighted Marc Furrer, President of ComCom, in a statement.
Sponsored By
Recent Comments