Archive for November, 2011

The SANS Institute, which operates the Internet Storm Center, has awarded the 2011 U.S. National Cybersecurity Innovation award to the U.S. Department of Homeland Security’s Cyber Security Research & Development Center. The center is part of the agency’s Science and Technology Directorate’s Cyber Security Division, which sponsors the DNSSEC Deployment Coordination Initiative, which works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet’s naming infrastructure as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors.

The institute announced that the award recognizes the creation of  “a federal cybersecurity research and development program that ensures that the research funded by federal agencies has a practical effect in reducing cyber risk….This has required the R&D community to think beyond the theoretical and to consider a more practical horizon.”  It noted that “In particular, DHS S&T’s long-term support of DNSSEC ensures that public users of online government services are confident the website they visit and over which they transmit information is an authentic government website and is secure.”

“It’s gratifying to see our six years of support for DNSSEC recognized in this way,” said Douglas Maughan, Ph.D., who directs the DHS division for cyber security R&D. “DNSSEC is a great example of how research can pay off, through a process that continually calls upon researchers to focus on work that can result in real products and real risk reductions.  DNSSEC today is providing increased security for the Internet infrastructure and is impacting Internet operations organizations, private industry, and the U.S. Government.”

Edward Rhyne, the division’s program manager, accepted the award from White House Cyber Coordinator Howard Schmidt at the National Cybersecurity Innovation Conference in Washington, DC, on October 11.

The Network Startup Resource Center has posted an album of photos from the recent DNSSEC workshop at the ICANN meeting in Dakar, including this photo of Initiative partner Steve Crocker, CEO of Shinkuro, Inc. and chairman of the board of ICANN.

Wes Hardaker demonstrates the DNSSEC-Nodes utility, which is a graphical DNS visualization tool from the DNSSEC-Tools software suite. The tool is intended for visually demonstrating and debugging DNS and DNSSEC deployments.

A variety of individuals and institutions have been opposing two congressional legislative proposals that would impact DNSSEC. Among them:

• Google Executive Chairman Eric Schmidt spoke against the two legislative proposal in a speech at the MIT Sloan School of Management, calling them “draconian” and “censorship.”
• The Brookings Institution has issued a new report, Cybersecurity in the Balance: Weighing the Risks of the PROTECT-IP Act and the Stop Online Privacy Act, calling the legislative proposals “the first legislation that pits our cybersecurity priorities against entrenched economic interests, highlighting a very real social choice.”
• Writing on the Public Knowledge policy blog, Ernesto Falcon writes about the recently unveiled Federal Bureau of Investigation’s Operation Ghost Click, “a multi-year operation that dismantled an international cyber ring that hacked into four million computers worldwide,” using vulnerabilities in the domain name system to do so.  Falcon, a former aide to U.S. Representative Bart Stupak (D-Mich.), wrote “Hopefully, Operation Ghost Click will show Congress that DNSSEC has extraordinary value to the public and should not be sacrificed for minimal gains against Internet piracy.”

A new report from InterConnect Communications compares the United Kingdom’s progress in deploying DNSSEC with that of European Union member states and other G20 nations. The report also looks at the progress of UK registry Nominet, compared to other national registries in DNSSEC deployment, and identifies technical and economic barriers to deployment, as well as barriers preventing adoption and deployment by UK hosting providers, Internet Service Providers and businesses. From the report:

 The crucial barrier to DNSSEC deployment in the UK is an economic and commercial one: lack of concrete demand in commercial settings. The UK is now in a position to see if a small set of early adopters will lead to the critical mass necessary for ISPs, hosting companies and registrars to begin offering DNSSEC related services and products.

The report also concludes that “The UK is the second largest Country Code Top Level Domain (ccTLD) in Europe and is now ready for wide-scale production deployment of DNSSEC for .UK domain holders. Amongst G20 nations, the UK is also the second largest of the signed zones ready for production.”

The 52-page report offers extensive analysis of UK and European deployment and corporate adoption of the protocols as well as comparative data from G20 nations.

• Presentations from the recent DNS Easy 2011 Workshop at the Global Cyber Security Center in Rome, held in October, are now online, including those on evolution in the DNS, potential impact of failure in DNSSEC validation, DNSSEC automation and monitoring and more. Presenters included representatives from China, Italy, Japan, the Netherlands, and the U.S.
• Minimizing Information Leakage in the DNS, by Scott Rose and Anastase Nakassis  of the U.S. National Institute of Standards and Technology addresses signed DNS nodes, which have “an unfortunate side effect of signed DNS nodes: an attacker can query them as reconnaissance before attacking individual hosts on a particular network.” The paper offers options for minimizing zone information leakage while retaining the benefits of DNSSEC-signed zones.
• DANE: Taking TLS Authentication to the Next Level Using DNSSEC, by Richard L. Barnes, appears in the most recent issue of the IETF Journal. It notes that, “while DANE holds the promise of more direct authentication, it will also create some new security challenges” and require DNS operators to “play a more critical role in securing applications.”  The journal editor noted “The advent of DNSSEC deployment raises the intriguing possibility of using the DNS as a secure repository for certificates in the future. In our cover article, Richard Barnes offers a detailed overview of the DANE working group’s efforts to make this possibility a technical reality.”