In This Issue:

Microsoft includes DNSSEC in Windows 7, calls for pre-release feedback

Canada starts DNSSEC implementation

Comcast and University of California, Berkeley both enable DNSSEC validation

U.S. Government seeks public comment on root signing

NIST key management publication seeks public comment

Swedish workshop highlights DNSSEC deployment

New CSI report says DNS vulnerability is major concern

CSI to Maryland in November

MYNIC workshops Nov. 10-12

IETF to Minneapolis

Microsoft includes DNSSEC in Windows 7, calls for pre-release feedback: The domain name system security extensions (DNSSEC) are among the features of Windows 7 unveiled by Microsoft in late October at its Professional Developers Conference 2008, where it delivered a pre-beta build of Windows 7 to conference attendees and announced plans to release a full Windows 7 beta early next year. A release date of early 2010 is anticipated for Windows 7. DNSSEC is available now in the pre-beta release and will be in all subsequent versions.

Calling DNSSEC one of the "10 Best Features in Windows 7 for IT Professionals," Computerworld's Jonathan Hassell said: "Many security pundits have said that the next big plague facing the Internet is the inherent insecurity of the Domain Name System (DNS). Now DNSSEC comes to the rescue as a set of extensions to DNS that prevent spoofing address information. Windows 7 comes with DNSSEC support out of the box."

Microsoft's Shyam Seshadri, the program manager for Windows DNS server and client, said that the Windows 7 DNSSEC will cover both clients and servers, and requires administrator set up, but no effort from end users. Documentation will be issued as versions are issued, including beta releases, and Seshadri encourages experimentation: "DNSSEC has gained a lot of attention and momentum due to the vulnerability discovered earlier this year," he said. "The timing is just perfect. We want people to try it out in beta and pre-beta versions and let us know what works, what they'd like to see more of. We'll be starting blogs and newsgroups, and those are the best way to communicate with the entire Microsoft DNS team so we can answer questions and help with deployment." Comments can be sent to Seshadri's blog, "Port 53."

Seshadri noted that DNSSEC integrates easily with other Microsoft enterprise software, such as Active Directory, and notes that trust anchor management is simplified in Active directory: "It will automatically replicate to all other DNS servers in the domain." Non-Windows 7 clients will be able to take advantage of a DNSSEC recursive server, which can work with and protect DNSSEC-aware and non-aware clients, he said.

For U.S. government systems, Windows 7's inclusion of DNSSEC will aid in meeting the requirements of OMB Memo 08-23, which requires that all DNS zones on federal IT systems be signed. Windows 7 can host a signed zone, produce signatures, validate responses and check signatures, accepting only valid responses, as required in the memo. Seshadri urged users to evaluate their use of DNS infrastructure and work towards defining deployment.

Microsoft's John Biccum, senior security strategist of the critical infrastructure program, noted that the inclusion of DNSSEC in Windows 7 "resulted from a partnership between the U.S. government and Microsoft. Because they came to us and explained what they hoped to achieve, we were able to get this into our product planning process and deliver it in time for it to be helpful. We're very pleased with the outcome."

Canada starts DNSSEC implementation: The Canadian Internet Registration Authority (CIRA), which manages Canada's dot-CA domain name registry, announced in October it has begun implementing DNSSEC. CIRA maintains the authoritative DNS name servers for all dot-ca domain names and processes over 300 million domain-name requests per day.

Comcast and University of California, Berkeley both enable DNSSEC validation: Comcast and UC Berkeley separately initiated trials of DNSSEC validation. Both organizations have provided publicly accessible DNSSEC-compliant recursive validation servers. Comcast's announcement says "Given the move by the .GOV Top Level Domain (TLD), as well as the coordinated activities of the public sector, private sector, industry groups, and other non-govermental organizations regarding other TLDs implementing DNSSEC, we have started a production trial to evaluate a move to DNSSEC by large ISPs." They join Sweden's Telia in testing DNSSEC resolution.

U.S. Government seeks public comment on root signing: The U.S. Department of Commerce has issued a Notice of Inquiry soliciting public comments about DNSSEC implementation at the root zone, noting "the increase in interest among government, technology experts and industry representatives" in this deployment issue. Verisign and ICANN have each submitted proposals for signing the root. Comments will be received through November 24.

NIST key management publication seeks public comment: The U.S. National Institute of Standards and Technology (NIST) has issued Special Publication 800-57 Part 3: Application Specific Key Management Guidance for public comments. The publication gives key management recommendations and guidance for key network protocols, including DNSSEC, for use within the U.S. federal government. For more information, go to the NIST Computer Security Resource Center; find the document here.

Swedish workshop highlights DNSSEC deployment: Dot-SE convened a workshop on DNSSEC and IPV6 deployment October 20, followed by its "Internet Days" October 21-22 and a training workshop for TLD operators October 22-24 in Stockholm. "We're no longer talking about whether to deploy DNSSEC, but rather how," said Danny Aerts, managing director of the Internet Infrastructure Foundation, in opening the workshop. Top-level domain operators from 13 European nations and from Malaysia and dot-ORG attended the session. .SE also announced it will drop charges for DNSSEC beginning in 2009.

New CSI report says DNS vulnerability is major concern: The Computer Security Institute's 13th annual Computer Crime and Security Survey reports that targeted attacks and domain name system (DNS) vulnerabilities are the primary concerns of the more than 500 enterprise security professionals surveyed. Some 10 percent of CSI survey respondents said they have experienced DNS-related incidents, an increase of 2 percent from 2007. See coverage of the report here and the full report here.

Workshops help networks, organizations deploy DNSSEC: While the protocols needed to add additional security to DNS queries and responses exist, network administrators and organizational leaders in all sectors need to accept DNSSEC and put it to use. Here’s a roundup of speakers and sessions that may help you work through potential issues and concerns about deployment:

• CSI to Maryland in November: The Computer Security Institute will convene its annual meeting November 15 to 21 in National Harbor, MD. Joe Gersch, vice president of engineering at Secure64 will speak on "How to Implement DNSSEC Without Losing Your Mind" on November 19.
• MYNIC workshops Nov. 10-12: MYNIC, which administers Malaysia's dot-MY domain, will offer a workshop on "Enabling IPv6 in your DNS and Securing your DNS with DNSSEC" November 10-12. Go here to register; only 40 seats are available.
• Reminder! IETF to Minneapolis: The 73rd IETF meeting will take place in Minneapolis, Minnesota, November 16-21.
  

© 2008. Shinkuro, Inc. All rights reserved.

WELCOME

Attacks on the Internet infrastructure are a reality - it's estimated that 10 percent of servers in the network today are vulnerable to domain name system (DNS) attacks.  And many technology experts believe that we will see a serious attack on the underlying infrastructure within the next decade.

The DNS Security Extensions (DNSSEC) Deployment Coordination Initiative is part of a global effort to deploy new security measures that will help the DNS perform as people expect it to - in a trustworthy manner.  This initiative builds on over a decade of work undertaken by many experts around the world, who developed the DNSSEC standard that was published by the IETF.

On this site, we have collected important information to help you learn more about the initiative; DNS attacks and their impact on your business, government agency, or home computing; information for adopters and potential adopters; and news and research to keep you informed about progress against this important security threat.

As of October 31, the SecSpider monitoring site shows 1672 DNSSEC enabled zones using both KSKs and ZSKs.

This web site is supported by the Science and Technology Directorate of the U.S. Department of Homeland Security.