Posts Tagged DNSSEC
FOSE, the federal information technology conference and expo, offers free registration to federal employees and military personnel. Don’t fit into those categories? The DNSSEC Deployment Coordination Initiative can offer you free registration at this special link.
You can see the full program for the March 24 daylong session “What’s Next in DNSSEC,” sponsored by the Initiative, here. Featured will be updates on U.S. federal government DNSSEC deployment and next steps; state, municipal and public-private network deployment; perspectives on DNSSEC in the commercial, educational and nonprofit sector domains; and lessons learned from deployment across the federal system. The program is free but requires pre-registration.
As DNSSEC deployment rolls out in government domains in the U.S. and elsewhere, we’re seeing more lists that visually display the status of deployment within a top-level domain. Here are some recent examples:
- From the U.S. .GOV TLD: Using a list of domain names taken from the web sites catalogued in the USA.gov website, Initiative partner Scott Rose of the U.S. National Institute of Standards and Technology wrote a script that queried which had a secure link from .GOV. The results, shown here, note that the “U.S. Federal Government maintains some domain names outside of the .gov gTLD. Likewise, there are state, local, and sovereign nation delegations found in .gov that are not required to deploy DNSSEC, but may deploy voluntarily.” Signed U.S. state domains include Vermont’s vermont.gov, vermonttreasurer.gov, and healthvermont.gov, the state’s health department; Idaho’s idaho.gov and idahobyways.gov from the state’s transportation department; Louisiana‘s lacoast.gov, from the Louisiana Coastal Wetlands Conservation and Restoration Task Force; the Tennessee Valley Authority’s tva.gov; Utah Fire Info, a federal-state partnership; and Virginia.gov.
- From Sweden: Two separate pages display DNSSEC deployment progress among municipal domains and in public sector agencies there, with hundreds of sites listed.
Cricket Liu of Infoblox has posted a second article in his series on DNSSEC overhead. He notes:
…I’ve recommended that organizations deploying DNSSEC watch the CPU load on their recursive name servers carefully: As the proportion of responses that are signed increases, so will the load on their recursors. Ultimately, though, the ever-increasing speed of processors and networks will trump the burden DNSSEC adds. Years from now – assuming DNSSEC becomes widely deployed – we’ll look back at our concerns about the overhead of DNSSEC and chuckle. I hope.
Nominet, the Internet registry for .UK domain names, has announced it will implement DNSSEC in zones it manages, beginning March 1, 2010 with the .UK top-level domain. The announcement notes:
With the signing of the root so close (scheduled for mid-2010), we have taken the decision not to include the keys in the major DNSSEC key stores…Instead, we will use the period as an extended operational test, waiting until the root goes live before publishing our trust anchor in the root zone.
The next phase will include signing .co.uk and other SLDs, Nominet said.
The first root server (L) has started to serve up a signed version of the root zone. This is the first step in the live testing that will lead to a production signed root by the middle of the year. For information on the status of the root signing process visit: http://www.root-dnssec.org/
The root is intentionally publishing bogus signing keys, so the answers are not verifiable. Once the testing completes the actual keys will be published.
Current DNSKEY set advertised:
. 86400 IN DNSKEY 256 3 8 AwEAAa1Lh++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++
. 86400 IN DNSKEY 257 3 8 AwEAAawBe++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOULD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MORE/INFORMATION+++
. 86400 IN RRSIG DNSKEY 8 0 86400 20100204235959 20100121000000 19324 . NO9bHgWYB3wQlVZXQKwDGUjTgIyfz1i8aWH8nBlT5isnYbr6PTfR4fWlSx8+avFfR0fVekauaQelKOyiUav4H9Y1AZ2OBguu7RjozQu1qErKboWd1NglIIOGar0Ol4Ur9+
Infoworld reports in an article this week that “Africa’s Top Level Domain registries have opted for a slow adoption of Domain Name System Security Extensions, hoping to learn lessons from countries that pioneered the process.” The article notes that DNSSEC training is planned for African TLDs during the ICANN meeting in Nairobi in March, and quotes the Internet Society’s Michuki Mwangi, a former president of AfTLD: “Africa has an advantage in terms of management of domains because they are few compared to other countries; it may be an opportunity for Africa’s budding e-commerce to take off on a fully secure environment.”