In This Issue:

Dot-org DNSSEC deployment approved by ICANN board

ICANN session looks at international DNSSEC deployment experience

Trust anchor repositories discussed at ICANN, Circle ID

DNSSEC tools reviewed at ICANN

DNS 25th anniversary roundtable features DNSSEC

Internet2 Joint Techs to Nebraska

Reminder! IETF to Dublin for summer meeting

Eugenio Pinto and Sara Monteiro of Portugal's FCCN present their DNSSEC results.

Dot-org DNSSEC deployment approved by ICANN board: After a review of security issues and a public comment period, ICANN’s board approved the Public Interest Registry’s proposal to deploy DNSSEC in .org, advancing deployment in a major top-level domain. During the meeting’s DNSSEC session, attendees heard about the Registry Services Technical Evaluation Panel (RSTEP) review of the PIR proposal. PIR CEO Alexa Raad also discussed her organization’s plans to move forward with deployment, noting that PIR executives had just met with “two major registrars, both of them large hosting providers” with reported interest in DNSSEC among their registrants. “They view [DNSSEC] as a differentiator for their hosting platforms,” Raad noted, adding that mainstream availability of DNSSEC in .org is anticipated by 2010. See the PIR presentation here, and the RSTEP review slides here.

ICANN session looks at international DNSSEC deployment experience: Practical views of DNSSEC deployment and adoption were presented at the 32nd ICANN meeting in June, hosted by ICANN’s Security and Stability Advisory Committee. The session included:

• Perspectives from the Czech Republic’s recent deployment of DNSSEC for ENUM and .cz from Pavel Tuma, who noted, “We, as a registry, think the DNSSEC is the next logical step to improve the registry services and, of course, overall DNS security.”
• Results from using dynamic updates to reduce the processing power consumption and time needed to sign an entire zone file, in a presentation by Eugenio Pinto and Sara Monteiro of the Foundation for National Scientific Computing, which operates Portugal’s ccTLD registry. Noting that a full zone signing takes up to 5 minutes, Pinto said “we have seen that a dynamic update can be very quick, and in less than five seconds, we can change up to 800 delegations in a signed DNS zone. That's a big difference and big saving in resources…five seconds is 1.7 percent of five minutes.”Results were reported by self-described “late adopter” Lutz Donnerhacke of Germany’s IKS GmbH from the development of a DNSSEC-aware resolver demonstration able to mount pharming and poisoning attacks; he reported 15,000 customers using fully
  validating resolvers. Donnerhacke noted the utility of available DNSSEC tools (see story below) for fellow late adopters.

Go here for a summary of the entire session, with links to each presentation and a full transcript.

Trust anchor repositories discussed at ICANN, Circle ID: The DNSSEC Deployment Coordination Initiative issued a paper on options for a global trust anchor repository (TAR) – a means for a DNSSEC validator to fetch trust anchor information for secure zones, particularly when the zone’s parent zone is not signed—at the June ICANN meeting in Paris. Initiative partner Russ Mundy presented the paper at the DNSSEC session, noting that gaps in the signed name space can occur anywhere, “so the problem does not go away even if the root is signed.” Brenden Kuerbis, Operations Director for the Internet Governance Project, weighed in on the paper’s options prior to the meeting on CircleID. Also at the ICANN meeting, IANA’s Barbara Roseman discussed an interim TAR as a way to publish keys of top-level domains that currently implement DNSSEC; she noted it is intended as a stopgap measure that would be decommissioned after the root zone is signed. You can read the TAR paper here and a presentation about it from the ICANN Paris meeting here; view the Circle ID discussion here; and see the presentation on an interim TAR from the ICANN Paris meeting here.

DNSSEC tools reviewed at ICANN: Initiative partner Russ Mundy of Sparta, Inc., presented an update on tools designed to ease implementation and deployment of DNSSEC at the ICANN meeting. Available tools include core DNSSEC libraries and modules, as well as tools for zone management, resolver management, DNSSEC-aware application patching, development and debugging. Documentation available on the DNSSEC tools webpage includes a step-by-step guide for DNSSEC operation using DNSSEC tools; a step-by-step guide for DNSSEC operation using BIND tools; manual pages and user documentation; and tutorials tailored towards the needs of particular types of adopters. Read the presentation from the tools discussion here. The deployment initiative has surveyed a wide range of DNSSEC related tools and resources on its website. Other resources presented at the meeting included Unbound’s validated caching resolver, presented by Jaap Akkerhuis of NLNet Labs as“DNSSEC for the masses,” an open source alternative to the BIND DNS server. Joao Damas of the Internet Systems Consortium presented new features in BIND designed to ease DNSSEC deployment, and Joe Gersch of Secure64 discussed plans to develop and commercialize a DNSSEC signing solution. Secure64 also offered a whitepaper on DNSSEC.

DNS 25th anniversary roundtable features DNSSEC: DNSstuff.com hosted a roundtable honoring the 25th anniversary of the domain name system. An audio file of panelists and DNS experts Paul Mockapetris, Paul Vixie and Cricket Liu’s roundtable discussion can be downloaded at the link above; in a related blog post, moderator Paul Parisi noted the discussion’s focus on DNSSEC, noting “DNS is an incredibly versatile invention; the addition of DNSSEC will help provide for a long and healthy life well into the future.” He urged “a team effort” to advance deployment and implementation of DNSSEC.

Workshops help networks, organizations deploy DNSSEC: While the protocols needed to add additional security to DNS queries and responses exist, network administrators and organizational leaders in all sectors need to accept DNSSEC and put it to use. Here’s a roundup of speakers and sessions that may help you work through potential issues and concerns about deployment:

• Internet2 Joint Techs to Nebraska: The ESCC/Internet2 Joint Techs Workshop will be held in Lincoln, Nebraska, July 20-24. DNSSEC deployment experiences on university campuses will be discussed as part of the security track.
• Reminder! IETF to Dublin for summer meeting: July 27 to August 1 are the dates for IETF’s next meeting in Dublin, Ireland.

© 2008. Shinkuro, Inc. All rights reserved.

WELCOME

Attacks on the Internet infrastructure are a reality - it's estimated that 10 percent of servers in the network today are vulnerable to domain name system (DNS) attacks.  And many technology experts believe that we will see a serious attack on the underlying infrastructure within the next decade.

The DNS Security Extensions (DNSSEC) Deployment Coordination Initiative is part of a global effort to deploy new security measures that will help the DNS perform as people expect it to - in a trustworthy manner.  This initiative builds on over a decade of work undertaken by many experts around the world, who developed the DNSSEC standard that was published by the IETF.

On this site, we have collected important information to help you learn more about the initiative; DNS attacks and their impact on your business, government agency, or home computing; information for adopters and potential adopters; and news and research to keep you informed about progress against this important security threat.

As of July 1, the SecSpider monitoring site shows 929 DNSSEC enabled zones using both KSKs and ZSKs.

This web site is supported by the Science and Technology Directorate of the U.S. Department of Homeland Security.