Archive for September, 2010

Afilias Executive Vice President and Chief Technology Officer Ram Mohan recently shared what every CIO should do about DNS security, on SecurityWeek.com. From the article:

Companies may spend millions creating and promoting their brand in the offline world, forgetting that on the Internet their domain name is their brand. It’s often the case that it is only after a company’s DNS has come under attack, or after it has suffered downtime with a non-malicious cause, that CIOs start thinking about DNS strategically….When it comes to critical infrastructure such as DNS, the first step for CIOs is recognizing the fact that a company’s domain name is not only the online ambassador for its brand, but also the glue that holds the whole Internet-based business together. From there, the appropriate strategic decisions will surely follow.

AFNIC, the French registry, has kicked off DNSSEC deployment with a series of activities this month. It announced it has DNSSEC-signed the country-code top-level domains (ccTLDs) .fr and .re for France and the Reunion Islands, and that it has published the DNSSEC keys for .yt and .tf in the root zone, the ccTLDs for Mayotte and the Territory of the French Southern and Antarctic Lands, respectively.

This week, beginning on September 20, AFNIC will release version 3 of “ZoneCheck,” its DNS configuration test tool, a free software tool that integrates DNSSEC configuration tests. It is available on www.zonecheck.fr.  You can read AFNIC’s issue paper on DNSSEC here.

"I found dnssec-tools.org, very simply."

Looking for how to get started with DNSSEC deployment–or for tools to make it easier? You’re not alone. A companion site to this blog, dnssec-tools.org and the DNSSEC Tools Project were designed to “create a set of software tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC related technologies.”  The site includes:

• DNSSEC tutorials
• A wiki on DNSSEC deployment and related issues
• A directory of DNSSEC tools with short descriptions and screen shots
• Instructions for installing the full suite of DNSSEC tools

The tools are open source, and options for discussion or reporting bugs are provided.  The DNSSEC Tools Project is funded by Sparta, Inc. and the U.S. Department of Homeland Security Science and Technology Directorate.

Writing on the Imperial Violet blog, Google’ Chrome engineer Adam Langley recently looked at transport layer security (TLS) and DNSSEC. He noted:

Ever since the DNS root was signed on July 15^th, quite a few people have been wondering about the interaction of TLS and DNSSEC. On the one hand, trust in the CA system is lukewarm but, on the other, the deployment issues with getting DNSSEC to the client seem immense.

Those who saw Dan Kaminsky’s talk at BlackHat, which included a patched version of Chromium performing DNSSEC validation, have probably already guessed that Dan, myself and others have been working on this problem. In this blog post I’m going to try to explain the design space as I see it….In the long term, we want a stronger foundation of trust for the Internet. This means both pairing back the power of the 1500 root certificates and making TLS easier to deploy and thus more commonly used. So one of the goals is to serve sites which currently don’t have a CA signed certificate. We can do that by allowing them to publish fingerprints in DNS and having browsers accept those (DNSSEC secured) fingerprints.

The post considers several questions related to encoding the data, including:

• What type of record and where to put it
• Handling clients without DNSSEC resolution capability
• Fingerprints in records
• What to hash
• Whether to include a flag to perform CA validation
• TLS extensions

A collaborative effort between the ITESM (Instituto Tecnológico y de Estudios Superiores de Monterrey) and Mexico NIC has released the beta version of a new DNSSEC tool plug-in for Internet Explorer working on a Windows operating system.   The project website includes the beta plug-in, as well as an installer, technical and user manuals and videos.

Dark Reading and others are reporting that .info, the seventh-largest top-level domain, was DNSSEC-enabled by Afilias September 1.  The article notes:

…the signing of the .INFO zone represents the first step in Afilias’ recently announced “Project Safeguard” initiative, which will rollout DNSSEC across its registry and DNS platforms. Project Safeguard also includes an education and training program for Registrars to enable DNSSEC in their registration systems for website owners who intend to add DNSSEC signatures to their individual domains.

Now that the TLD is signed, Afilias will activate a “friends and family” period that will allow the public to gain experience with a select group of .INFO second level domain names that have also been signed. Shinkuro Inc. and Comcast have agreed to participate in this testing period. The list of “friends and family” domains includes: afilias.info, info.info, shinkuro.info, comcast.info, and 19 other domains from Comcast.

.info was was the first generic, unrestricted TLD to be launched since .com.

Neustar also announced that .biz, which it administers, was signed September 8; it notes it is ” the only registry to have fully deployed DNSSEC in two TLDs (.US and .BIZ).”

Do DNS clients request DNSSEC?  RIPE Labs says yes, based on a look at the RIPE NCC server that provides secondary service to a number of country-code top-level domains (ccTLDs), which answers an average 5,000 queries per second.  The chart above shows that more than 50 percent of queries requested DNSSEC information during August 2010, a month after the root was signed and TLDs began signing their zones.  RIPE is a membership organization supporting Internet infrastructure in in Europe, the Middle East and parts of Central Asia.  It is phasing out its DNSSEC reply-size tester as of October 11, 2010.

A survey conducted by SURFnet, a higher education information technology coalition in the Netherlands, concluded that “a large majority of the respondents attribute a high priority to DNSSEC…intends to tack action and deploy DNSSEC, most of them within a year.”  The report noted, however, that most respondents did not yet know which hardware and software solutions they would use to achieve deployment.  See the full report here.