Archive for category Uncategorized

Writing in CircleID,  Interlan CTO Torbjörn Eklöv described a novel test of DNSSEC in The Christmas Goat, IPv6 and DNSSEC — Second Season. His company was asked for the second year in a row to assist with load share in the live-streaming of the famous Christmas Goat display in Gävle, Sweden, a task that allowed him to compare IPv6 usage and DNSSEC validation from visitors to the site. Starting on November 27,

we were able find out that both usage of native IPv6 and DNSSEC validation have increased quite a lot this year. The native IPv6 users increased from 0.1% to 0.5% and the DNSSEC validation from 44% to 72%.

The test, and the goat, had an untimely end when the goat burned down on December 2. “But with the experience from the test last year, and this year, I only need few days to get quite an accurate percentage of the use of IPv6 and DNSSEC from the visitors. This year I did a check after two days, last year I checked several times and the result was surprisingly correct after only a few days,” he reports.

Czech voice and data mobile operator Vodafone has announced that it has secured its domain and web services with DNSSEC, making it the first mobile operator in the Czech Republic to do so. The company notes that its customers have two ways to find out whether their connections are secure:

On the www.dnssec.cz site is an automatic test, which displays a green or red icon showing the key users, whether their connection is, respectively, not safe. The second option offers an add-on for Firefox, which can be downloaded for free from www.dnssec-validator.cz. This program allows you to control whether or not the currently visited domain is protected, again displaying an icon key, this time directly in the address bar of your browser window.

Part of the international Vodafone Group, the company serves more than three million customers in the Czech Republic.

PayPal has announced that all of  its owned and operated domain names are now DNSSEC-secured. It joins several country-code top-level domains that have announced their deployment of DNSSEC in recent weeks.  Russia’s .su, which is made up of about 90,000 second-level domain names, has been DNSSEC-signed. The Technical Center of Internet says it plans to sign root national domains .РФ and .RU with DNSSEC in 2012. Also DNSSEC-signed are Uganda’s .ug, Myanmar’s .mm, Slovenia’s .si, New Zealand’s .nz and Tawain’s .tw.

Comcast’s vice president for Internet systems, Jason Livingood, updated the company’s progress in deploying DNSSEC today. Noting that the company has signed more than 90% of its domain names, Livingood called on banking and commerce domain owners to sign their domains. From the blog post:

Since 2010, our deployment has steadily progressed and we have reached a couple of significant milestones. First, Comcast owns thousands of domains such as comcast.com. We have now cryptographically signed more than 5,000 of our domains, representing over 90% of our domain names. Second, we now have 50% of our 17.8M Internet customers using our DNSSEC-validating servers. We expect to complete signing all of our domain names and having all of our customers use our DNSSEC-validating servers in early 2012.

Now that millions of Internet users in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially for commerce and banking-related sites, to begin signing their domain names. PayPal has already taken this important step, which we applaud, and we encourage other domains to follow their lead.

The SANS Institute, which operates the Internet Storm Center, has awarded the 2011 U.S. National Cybersecurity Innovation award to the U.S. Department of Homeland Security’s Cyber Security Research & Development Center. The center is part of the agency’s Science and Technology Directorate’s Cyber Security Division, which sponsors the DNSSEC Deployment Coordination Initiative, which works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet’s naming infrastructure as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors.

The institute announced that the award recognizes the creation of  “a federal cybersecurity research and development program that ensures that the research funded by federal agencies has a practical effect in reducing cyber risk….This has required the R&D community to think beyond the theoretical and to consider a more practical horizon.”  It noted that “In particular, DHS S&T’s long-term support of DNSSEC ensures that public users of online government services are confident the website they visit and over which they transmit information is an authentic government website and is secure.”

“It’s gratifying to see our six years of support for DNSSEC recognized in this way,” said Douglas Maughan, Ph.D., who directs the DHS division for cyber security R&D. “DNSSEC is a great example of how research can pay off, through a process that continually calls upon researchers to focus on work that can result in real products and real risk reductions.  DNSSEC today is providing increased security for the Internet infrastructure and is impacting Internet operations organizations, private industry, and the U.S. Government.”

Edward Rhyne, the division’s program manager, accepted the award from White House Cyber Coordinator Howard Schmidt at the National Cybersecurity Innovation Conference in Washington, DC, on October 11.

The Network Startup Resource Center has posted an album of photos from the recent DNSSEC workshop at the ICANN meeting in Dakar, including this photo of Initiative partner Steve Crocker, CEO of Shinkuro, Inc. and chairman of the board of ICANN.

Wes Hardaker demonstrates the DNSSEC-Nodes utility, which is a graphical DNS visualization tool from the DNSSEC-Tools software suite. The tool is intended for visually demonstrating and debugging DNS and DNSSEC deployments.

A variety of individuals and institutions have been opposing two congressional legislative proposals that would impact DNSSEC. Among them:

• Google Executive Chairman Eric Schmidt spoke against the two legislative proposal in a speech at the MIT Sloan School of Management, calling them “draconian” and “censorship.”
• The Brookings Institution has issued a new report, Cybersecurity in the Balance: Weighing the Risks of the PROTECT-IP Act and the Stop Online Privacy Act, calling the legislative proposals “the first legislation that pits our cybersecurity priorities against entrenched economic interests, highlighting a very real social choice.”
• Writing on the Public Knowledge policy blog, Ernesto Falcon writes about the recently unveiled Federal Bureau of Investigation’s Operation Ghost Click, “a multi-year operation that dismantled an international cyber ring that hacked into four million computers worldwide,” using vulnerabilities in the domain name system to do so.  Falcon, a former aide to U.S. Representative Bart Stupak (D-Mich.), wrote “Hopefully, Operation Ghost Click will show Congress that DNSSEC has extraordinary value to the public and should not be sacrificed for minimal gains against Internet piracy.”

A new report from InterConnect Communications compares the United Kingdom’s progress in deploying DNSSEC with that of European Union member states and other G20 nations. The report also looks at the progress of UK registry Nominet, compared to other national registries in DNSSEC deployment, and identifies technical and economic barriers to deployment, as well as barriers preventing adoption and deployment by UK hosting providers, Internet Service Providers and businesses. From the report:

 The crucial barrier to DNSSEC deployment in the UK is an economic and commercial one: lack of concrete demand in commercial settings. The UK is now in a position to see if a small set of early adopters will lead to the critical mass necessary for ISPs, hosting companies and registrars to begin offering DNSSEC related services and products.

The report also concludes that “The UK is the second largest Country Code Top Level Domain (ccTLD) in Europe and is now ready for wide-scale production deployment of DNSSEC for .UK domain holders. Amongst G20 nations, the UK is also the second largest of the signed zones ready for production.”

The 52-page report offers extensive analysis of UK and European deployment and corporate adoption of the protocols as well as comparative data from G20 nations.

• Presentations from the recent DNS Easy 2011 Workshop at the Global Cyber Security Center in Rome, held in October, are now online, including those on evolution in the DNS, potential impact of failure in DNSSEC validation, DNSSEC automation and monitoring and more. Presenters included representatives from China, Italy, Japan, the Netherlands, and the U.S.
• Minimizing Information Leakage in the DNS, by Scott Rose and Anastase Nakassis  of the U.S. National Institute of Standards and Technology addresses signed DNS nodes, which have “an unfortunate side effect of signed DNS nodes: an attacker can query them as reconnaissance before attacking individual hosts on a particular network.” The paper offers options for minimizing zone information leakage while retaining the benefits of DNSSEC-signed zones.
• DANE: Taking TLS Authentication to the Next Level Using DNSSEC, by Richard L. Barnes, appears in the most recent issue of the IETF Journal. It notes that, “while DANE holds the promise of more direct authentication, it will also create some new security challenges” and require DNS operators to “play a more critical role in securing applications.”  The journal editor noted “The advent of DNSSEC deployment raises the intriguing possibility of using the DNS as a secure repository for certificates in the future. In our cover article, Richard Barnes offers a detailed overview of the DANE working group’s efforts to make this possibility a technical reality.”