Archive for October, 2010

Duane Wessels of VeriSign, Wes Hardaker of SPARTA/Cobham, and ICANN’s Mehmet Akcin presented on the signing of the root zone and updates on what’s happened since the root signing, at NANOG 50, the North American Network Operators’ Group conference in Miami this week.  Attendees heard about “benefits that can be gained from making applications DNSSEC-capable and some of the DNSSEC-capable applications that are available today.”  You can find all the DNS and DNSSEC presentations from NANOG 50 here.

EDUCAUSE Quarterly has published “Helping Secure the Internet with DNSSEC,” detailing the deployment experience within the lsu.edu domain at Louisiana State University. Authors John C. Borne, the university’s chief IT security and policy and LSU manager Allie Hopkins describe the university’s process and considerations in testing and deploying DNSSEC, and conclude:

From LSU’s perspective, we would very much like to see it grow and succeed through a rapid, yet voluntary, sequence of adoption. It’s a pretty solid bet that, whether by regulation or incentive, organizations will feel more pressure from governmental, standards, and industry groups attempting to induce adoption of DNSSEC. As more DNSSEC-aware appliances and applications come online, popular demand may combine with the influence of these groups to make DNSSEC nearly ubiquitous and allow it to deliver its maximum benefit. In adopting DNSSEC at LSU, we have ignored its imperfections. What other solution has a better chance of success? Despite weaknesses, or the many things it will not protect us from, DNSSEC still provides good protection and, more importantly, a basis upon which to build improved security for the Internet.

EDUCAUSE, a nonprofit organization, works to advance Internet issues within the U.S. higher education community.

• Germany-based InterNetX announced it now offers DNSSEC for the .ch (Switzerland) and .li (Lichtenstein) domains; it is the first partner of SWITCH, a provider of internet services for universities and users, to do so.
• Denmark’s .dk country-code top-level domain has deployed DNSSEC (announcement in Danish).
• The U.S. federal government announced new IPv6 requirements for U.S. federal agencies, which must “run native IPv6 on their Web, email, ISP, and DNS servers and services by the end of fiscal year 2012, and their internal client applications by fiscal year 2014,” according to Dark Reading.
• Nominet, which manages .uk, issued this incident report on the accidental release of a new Zone-signing-key into its live zone file. The report includes a diagnosis of what occurred and procedures being put in place to avoid a similiar incident in the future.
• Government Computer News reported on a new study on DNSSEC deployment by U.S. federal agencies which showed slow adoption of DNSSEC. Conducted for the Internet security company Internet Identity, the study “found that 38 percent of the federal domains tested had been digitally signed using the DNSSEC by mid-September.”
• Patches have been issued by the Internet Systems Consortium (ISC) for a DNSSEC-validation vulnerability found in “the widely deployed BIND DNS server’s DNSSEC implementation,” according to eSecurity Planet. Infoblox vice president Cricket Liu said the vulnerability has a low severity rating from ISC and network administrators should simply upgrade to the latest version of BIND to achieve the needed protection.