Archive for January, 2010
Twitter attack prompts a DNSSEC reminder
Posted by Denise Graveline in DNSSEC, News on January 15, 2010
eWeek Europe’s look at the December attack that took down Twitter suggests that businesses need a stronger focus on DNS security, and includes this reminder about DNSSEC from Rick Howard, director of security intelligence at VeriSign iDefense:
“Basic DNS monitoring is sorely lacking,” he continued. “While enterprises may monitor DNS availability, and are increasingly aware of DDoS [distributed denial of service] attacks targeting domain name servers, simple monitoring for DNS integrity is often overlooked. Enterprises should also pay attention to the rollout of DNSSEC, which mitigates some attacks, but is not yet widely available.”
The attack used “legitimate credentials to log in and redirect Twitter.com to a site purporting to be under the control of the Iranian Cyber Army,” the article notes.
Program set for DNSSEC session at FOSE
Posted by Denise Graveline in Uncategorized on January 14, 2010
The program is now available for the DNSSEC Deployment Coordination Initiative’s special session at the FOSE conference and exhibition. “What’s Next in DNSSEC: Securing the Domain Name System,” will take place on Wednesday, March 24, 2010, from 10:00 a.m. to 4:30 p.m. The conference attracts U.S. government information technology professionals in Washington, D.C. In addition to the session, the FOSE Expo will include a special DNSSEC Pavilion with booths from the Initiative as well as other DNSSEC-related exhibitors.
Registration for FOSE is free for U.S. government employees, government contractors and U.S. military, and registration for the Expo is $50. Go here to register for FOSE. To exhibit in the DNSSEC Pavilion at FOSE, contact Don Berey, Show Director at 703-876-5073 or email [email protected].
As speakers are added to the program, this blog will post updates. Here is the program for the DNSSEC session:
What’s Next in DNSSEC: Securing the Domain Name System
Morning session:
10:00-10:15 What’s next in DNSSEC: Overview
Speaker:
Douglas Maughan, Ph.D., Program Manager, Cyber Security R&D, Science & Technology Directorate, U.S. Department of Homeland Security, and sponsor, DNSSEC Deployment Coordination Initiative
10:15-11:00 Advancing Federal DNSSEC Deployment: What to Look For in 2010
Speakers:
Deploying DNSSEC at the Root: Scott Rose, National Institute of Standards and Technology (Speaker TBA)
Getting DNSSEC into Trusted Internet Connections: U.S. Department of Homeland Security
[UPDATED] 11:00-11:15 Break
[UPDATED] 11:15-11:45 From Trust to Transparency: DNSSEC and Open Government
Speakers:
DNSSEC and Open Government: White House Office of Management and Budget (Speaker TBA)
Government-funded Open-Source DNSSEC Tools: Russ Mundy, Sparta
[UPDATED] 11:45-12:30 Beyond Federal Deployment: The Next Wave
Speakers:
Deploying DNSSEC Across a Public-Private Network – R. Kevin Oberman, Energy Sciences Network (ESnet, Ernest O. Lawrence Berkeley National Laboratory
[UPDATED] Deploying DNSSEC in .us — Keith Drazek, Director, Government and Industry Relations, Neustar
Deploying DNSSEC in Commercial and Education — Lauren Price, Senior Product Marketing Manager and Chair of the DNSSEC Industry Coalition, .org, the Public Interest Registry
[UPDATED] Deploying DNSSEC in the Educational and Commercial Sectors – Joe Waldron, Director of Product Management, VeriSign, Inc.
12:30-2pm Break for visiting exhibit floor
Afternoon session:
2:00-2:45 Why DNSSEC Applies to More Federal Systems in 2010
Speakers:
[UPDATED] FISMA Requirements and DNSSEC – Doug Montgomery and Kelley Dempsey, National Institute of Standards and Technology
Updated Requirements from NIST Apply to More Federal Systems – Scott Rose, National Institute of Standards and Technology
2:45-3:00 Break
[UPDATED] 3:00-4:15 Beyond the Mandate: Getting Lessons—and Value—From Deployment
An invited panel of vendors with experience assisting federal agencies with DNSSEC deployment will offer brief lessons learned and field audience questions on getting value from deployment. Moderated by Steve Crocker of Shinkuro and Scott Rose of the National Institute of Standards and Technology.
Speakers include:
Michael Young, Vice President, Product Development, Afilias
Chris Parker-James, Product Manager, BlueCat Networks
Derek McUmber, CEO, Data Mountain Solutions
Nathan Meyer, Product Manager, F5 Networks
Victor Danevitch, Infoblox
Norm Ritchie, Programmes Development Manager, Internet Systems Consortium
William Billings, U.S. Federal Chief Security Officer, Microsoft
Ameet Dhillon, Senior Director of Product Management, Nominum
Mark Beckett, Vice President, Marketing, Secure64
Patrick Naubert, Chief Technology Officer, Xelerance
Deployment watch: Chile to deploy DNSSEC in 2010
Posted by Denise Graveline in Uncategorized on January 12, 2010
Update your DNSSEC deployment maps: NIC Chile has indicated it will deploy DNSSEC in the .CL zone in 2010, the result of research since 2005 in partnership with NIC Labs, its research laboratory. An internal testbed is already working and deployment is set for midyear. NIC Chile will offer training, a public testbed and a forum for feedback from .CL users. You can find more information in Spanish at the .CL DNSSEC website, or the English version.
Infoworld report on Africa and DNSSEC
Posted by Denise Graveline in Adoption on January 11, 2010
Infoworld reports in an article this week that “Africa’s Top Level Domain registries have opted for a slow adoption of Domain Name System Security Extensions, hoping to learn lessons from countries that pioneered the process.” The article notes that DNSSEC training is planned for African TLDs during the ICANN meeting in Nairobi in March, and quotes the Internet Society’s Michuki Mwangi, a former president of AfTLD: “Africa has an advantage in terms of management of domains because they are few compared to other countries; it may be an opportunity for Africa’s budding e-commerce to take off on a fully secure environment.”
New key management guidance from NIST
Posted by Denise Graveline in Technical guides on January 6, 2010
At the close of 2009, the U.S. National Institute of Standards and Technology issued an “Application-Specific Key Management Guide” as part 3 of its Special Publication 800-57, “Recommendation for Key Management.” Section 8 of the publication focuses on DNSSEC deployment issues for U.S. federal agencies, including authentication of DNS data and transactions, special considerations for NSEC3 and key sizes, and more.
New Year puts DNSSEC on resolution lists
Posted by Denise Graveline in DNSSEC, News on January 6, 2010
Whether practical or predictive, several articles summing up 2009–or looking ahead to the new decade–put DNSSEC high on the list of cybersecurity solutions on their radar, including these articles:
- PC World put DNS security among its “top 10 security nightmares of the decade,” noting that DNS flaws uncovered in the past year “have hastened the move to newer standards, such as DNSSEC, which authenticates data in the DNS system, and a newer version of SSL/TLS. Look for the replacement of existing protocols to continue in the coming years.”
- SearchSecurity.com focused on five security industry themes for 2010, with the stepped-up pace of DNSSEC deployment among the themes to watch. From the article: “Fortunately there has been a lot of work behind the scenes as top-level domains are deploying DNSSEC, the next generation of DNS that supports encryption. Implementation until now has been slow. Digital signing of DNS requests and responses is already being supported by .gov and .org and universities are also deploying support. The .us zone was signed in December. The largest zone, .com, is not expected to sign on until 2011, but one expert said the domain could move faster, giving even more clout to DNSSEC this year.”
- V3.co.uk made 2010 predictions in security, calling 2010 “The Year of DNSSEC,” and quoting Rodney Joffe, senior technologist at NeuStar and director of the Conficker Working Group that DNSSEC, “together with IPv6…will catapult the DNS to the front of everyone’s thoughts.”
Deployment watch: .pt, .es.net, berkeley.edu,.de
Posted by Denise Graveline in Adoption, DNSSEC, News, Uncategorized on January 6, 2010
DNSSEC deployment got a running start in the new year, producing these updates on deployment progress around the world:
- Portugal’s .pt has been signed and in production beginning January 4.
- December saw deployment of DNSSEC in es.net, the Energy Sciences Network at the Lawrence Berkeley National Laboratory, which is a high-speed network serving thousands of U.S. Department of Energy scientists and collaborators worldwide.
- January 1 brought DNSSEC deployment in the University of California Berkeley’s berkeley.edu.
- DENIC has announced that Germany’s .de DNSSEC testbed is now running an NSEC3-enabled zone.
Help us stay up-to-date on your organization’s deployment news by submitting information about your DNSSEC deployment deadlines, test beds or other progress to info @ dnssec-deployment.org.
Newsletter turns into new DNSSEC blog:
Posted by Jeffrey Dewhurst in Uncategorized on January 4, 2010
DNSSEC THIS MONTH newsletter will re-launch as a blog beginning January 5, 2010. DNSSEC TODAY will continue to cover the progress of DNSSEC deployment, forthcoming meetings and workshops, and other resources to help you monitor news about DNSSEC deployment. The blog is part of a website redesign for the DNSSEC Deployment Coordination Initiative.
Deployment watch:
Posted by Jeffrey Dewhurst in Uncategorized on January 4, 2010
Netherlands, European Union, dot-US, root zone: Help us stay up-to-date on your organization’s deployment news by submitting information about your DNSSEC deployment deadlines, test beds or other progress to info @ dnssec-deployment.org.
SIDN to sign dot-NL in August:
Posted by Jeffrey Dewhurst in Uncategorized on January 4, 2010
SIDN, the registry for The Netherlands’ dot-NL and ENUM, announced it will implement DNSSEC one month after the root zone is signed in July, setting its implementation for August 2010. SIDN CEO Roelof Meijer said, “Waiting until the root is signed means that we won’t need to implement any interim solutions – which inevitably increase the risk of errors – and it will be possible to sign the whole chain at once. We believe that this is the best and safest way to implement DNSSEC for the dot-NL zone.”
-
You are currently browsing the archives for January, 2010
Sponsored By
Recent Comments