Archive for category Uncategorized

ICANN 42 has begun in Dakar, Senegal, running from October 23-28. DNSSEC deployment is featured on the program in two key sessions at the meeting:

• DNSSEC for Everybody–A Beginner’s Guide, taking place on Monday at 16:00, will cover the basic and core concepts of the domain name system and the chain of trust, as well as real-world examples of DNSSEC in action. Presenters include Roy Arends and Simon McCalla of Nominet; Norm Ritchie of ISC; and Russ Mundy of Cobham. An agenda and options for virtual participation are included at the link.
• DNSSEC Workshop, a half-day session beginning at 8:30 on Wednesday,  will look at DNSSEC deployment around the world; share best practices for deployment in ISPs; review top-level domain deployment updates; and discuss blocking and DNSSEC, DNSSEC in the wild, and the  long-term consequences of DNSSEC deployment and IPv6.  The panels will include speakers from AFTLD, Cobham, CZNIC, DENIC, Global Cyber Security Center, ICANN, IKS-JENA, ISC, .KE, .NA,  NIC.FR,  NSRC/TRSTECH and AfriNIC, PIR/Afilias, Shinkuro, .SN, and VeriSign. Presentations, an agenda and remote participation options are at the link.

In congressional testimony on the security implications of cloud computing,  John Curran, President and CEO of ARIN, the American Registry for Internet Numbers, noted the importance of DNSSEC and IPv6 in securing the cloud:

These new standards are quite important in protecting the global Internet from cybercrime, in that they insure that Internet users reach the actual web site that they intended to, and that their communication is protected in the process. When it comes to agency use of cloud computing services, these protections are equally important, since these services are reached over the public Internet.

Curran said it is “crucial” that the Federal Risk and Authorization Management Program or FedRAMP program “clearly and unambigously incorporates DNSSEC and IPv6.”  He testified before the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the House Homeland Security Committee,

NANOG, the North American Network Operators’ Group, convenes its 53rd meeting in Philadelphia beginning Sunday, October 9, followed by the 27th meeting of ARIN, the American Registry of Internet Numbers. DNSSEC-related sessions on the NANOG program include:

• A DNSSEC tutorial on Sunday, October 9, led by Verisign’s Matt Larson; and
• A tutorial titled “You can’t do that with nslookup: DNS(sec) troubleshooting,” led by Michael Sinatra of the University of California, Berkeley.

October and November bring more learning opportunities about DNSSEC, including these sessions:

• LACNIC, the Latin American and Caribbean Internet Addresses Registry, convenes LACNICXVI October 3-7 in Buenos Aires, with a DNSSEC tutorial earlier this week on October 3. NLNet Labs’ Olaf Kolkman, the workshop leader, has announced his goal that 2/3 of the workshop attendees turn on DNSSEC validation, and 1/3 sign their zone.
• The Internet Society’s Internet On conference in Buenos Aires October 5 includes a session on a new ISOC initiative to “create and promote resources that are easy to understand and quickly actionable by the very IT professionals responsible for the implementation of new technologies like IPv6 and DNSSEC.”
• Portugal’s .PT is sponsoring a cycle of fall workshops, including two on October 19 and November 18. The workshops are designed for professionals in the banking, public administration and judicial sectors.
• ICANN 42, taking place October 23-28 in Dakar, Senegal, is expected to include DNSSEC workshops; the workshop schedule has not yet been released.

A white paper issued by Cisco, “Preparing for DNSSEC: Best Practices, Recommendations, and Tips for Successful Implementation,” reviews best practices for implementing DNSSEC in a network infrastructure and includes configurations for Cisco software, platforms and devices. The step-by-step instructions, aimed at Cisco-using network administrators, also include insights from internal testing performed by Cisco Security Research & Operations, such as how different versions of Cisco products will affect validation. Authors John Stuppi  and Joseph Karpenko are members of the Applied Intelligence team in Cisco’s Security Research & Operations organization.

Mark Minasi’s Windows Networking Tech page reports on what he learned at Microsoft’s recent BUILD conference about Windows Server 8. He notes that DNSSEC “gets more useful” in this version:

….DNSSEC is an up-and-coming technology that many of you will want to implement on your networks, and you also know that while Microsoft implemented DNSSEC in Windows Server 2008 R2 and Windows 7, their implementation was a bit uneven.  You must sign your zone by taking it offline and running a few pretty long, ugly DNSCMD commands.  It can’t validate zones that use the March 2008 RFC that introduces NSEC3, an inn0vation that most important zones are using.

With W8S, that changes.  Its new DNS does NSEC3 and can be configured to automatically sign your zones as they change.  Haven’t had time to try it out but it sounds pretty good.

The Email Admin blog urged organizations to consider DNSSEC as a solution to some of the most pressing email problems, from span and phishing to creating private emails. In this post, it noted how email administrators could benefit from widespread deployment of DNSSEC:

What’s good about DNSSEC is that it can be used beyond just authenticating website traffic. That Internet-wide authentication database created by the technology could also be used to authenticate email certificates. Those certificates would go a long way in reducing spam, muzzling phishing attacks and enabling private email—email that’s encrypted and can only be decrypted by its intended recipient. In order for that to happen, however, DNSSEC needs to be adopted throughout the cyberspace food chain—from those at the top of the domain structure to the ISPs to the browser and client makers.

Google’s Adam Langley reports on his Imperial Violet blog that all Chrome users now have DNSSEC-authenticated HTTPS in Chrome now that Chrome 14 is stable. The experimental feature “allows sites to use DNSSEC, rather than traditional, certificates and is aimed at sites which currently use no HTTPS, or self-signed certificates.” He also has documented the serialisation format.

The U.S. Department of Defense has authorized its Network Information Center to sign the .mil zone with DNSSEC, it was announced. The move is a major step forward in the U.S. government’s efforts to deploy DNSSEC across its domains.

Limited to use by the U.S. military, the .mil top-level domain will be signed over a three-month period, starting with an unvalidatable key and progressing to publication of the .mil key to allow validation across the Internet. The tentative timeline calls for the zone to be signed by December 12, 2011.

The .mil is a sponsored TLD and was one of the first top-level domains, created in January 1985.  The U.S. is the only country with a top-level domain for its military.

A man-in-the-middle attach targeting Iranian users of Gmail left them vulnerable to having their logins stolen, and prompted discussion of DNSSEC’s security protocols. In “Google Users in Iran Targeted in SSL Spoof,” CNet News notes that DNSSEC offers an alternative to validating legitimate sites. From the article:

“The SSL ‘race to the bottom’ CA model is broken. Fraudulent certificates have been issued before, even without breaching a CA’s systems,” Johannes B. Ullrich, dean of research at the SANS Technology Institute, wrote in a blog post today. “But what can you do to replace or re-enforce SSL?”

DNSSEC (Domain Name System Security) can provide another way to validate that a site is legitimate, but it is not perfect, either, he said. In addition, there are browser plug-ins that implement reputation systems. One plug-in that has gained traction is Convergence, which works with Firefox and compares the certificate with other certificates received from the same site, he said.