Archive for February, 2010
Comcast to deploy DNSSEC by 1st quarter 2011
Posted by Denise Graveline in Uncategorized on February 23, 2010
After two years of testing DNSSEC, Comcast — the largest provider of cable services in the U.S., with 23.6 million cable customers, 15.9 million high-speed Internet customers and 7.6 million voice customers — announced it is starting a trial today and plans to implement DNSSEC by the first quarter of 2011 or sooner. In a blog post, Comcast noted:
We plan to implement DNSSEC for the websites we manage, such as comcast.com, comcast.net and xfinity.com, by the first quarter of 2011, if not sooner. By the end of 2011, we plan to implement DNSSEC validation for all of our customers….If you don’t want to wait until 2011, you can participate in our DNSSEC customer trial, which starts today. Opt-in by changing your DNS server IP addresses to 75.75.75.75 and 75.75.76.76 (we’ll be adding IPv6 addresses soon). The servers supporting this are deployed nationally in the same locations as our other DNS servers that millions of customers use everyday.
You can find FAQs on the Comcast trial here.
Free registration available for FOSE, DNSSEC session
Posted by Denise Graveline in Uncategorized on February 14, 2010
FOSE, the federal information technology conference and expo, offers free registration to federal employees and military personnel. Don’t fit into those categories? The DNSSEC Deployment Coordination Initiative can offer you free registration at this special link.
You can see the full program for the March 24 daylong session “What’s Next in DNSSEC,” sponsored by the Initiative, here. Featured will be updates on U.S. federal government DNSSEC deployment and next steps; state, municipal and public-private network deployment; perspectives on DNSSEC in the commercial, educational and nonprofit sector domains; and lessons learned from deployment across the federal system. The program is free but requires pre-registration.
Internet 2 Joint Techs meeting features campus DNSSEC
Posted by Denise Graveline in Uncategorized on February 9, 2010
Shumon Huque of the University of Pennsylvania reports that the winter ESCC/Internet 2 Joint Techs meeting featured these talks focused on DNSSEC deployment:
- In a talk on the .EDU DNSSEC testbed, Huque and Larry Blunk of Merit Network reviewed DNSSEC plans and features for the .EDU top-level domain, managed by Educause; results of the domain’s DNSSEC testbed conducted by VeriSign and Educause; and how .EDU domain holders will interact with the DNSSEC enabled .EDU registration system.
- Michael Sinatra of the University of California, Berkeley, discussed DNSSEC on Campus, focusing on “real-world experience” based on UC Berkeley’s work signing zones and validating those of others, and participating in a DNSSEC testbed.
- The DNSSEC Rollout Experiences at U.S. Department of Energy National Labs panel included representatives from the Ames Laboratory; the Argonne, Brookhaven and Oak Ridge National Laboratories; and the Energy Sciences Network (ES.net), discussing DNSSEC deployment at national labs in the wake of U.S. federal government requirements.
The meeting took place in Salt Lake City, Utah, January 31-February 2.
RIPE Labs measures DNS transfer size
Posted by Denise Graveline in Uncategorized on February 8, 2010
RIPE Labs has reported the initial results from an effort to measure DNS transfer size, to determine whether larger DNSSEC responses would pose problems once the K-root begins to provide DNSSEC responses to requesting resolvers, and whether the larger responses would reach the resolvers. From the article: “The good news is that the vast majority of measurements yield transfer sizes that will fit current DNSSEC answers from root name servers,” although “some resolvers that could experience time-outs and delays due to misconfigurations and middleware.”
Visual inventories track U.S., Sweden deployment
Posted by Denise Graveline in Uncategorized on February 8, 2010
As DNSSEC deployment rolls out in government domains in the U.S. and elsewhere, we’re seeing more lists that visually display the status of deployment within a top-level domain. Here are some recent examples:
- From the U.S. .GOV TLD: Using a list of domain names taken from the web sites catalogued in the USA.gov website, Initiative partner Scott Rose of the U.S. National Institute of Standards and Technology wrote a script that queried which had a secure link from .GOV. The results, shown here, note that the “U.S. Federal Government maintains some domain names outside of the .gov gTLD. Likewise, there are state, local, and sovereign nation delegations found in .gov that are not required to deploy DNSSEC, but may deploy voluntarily.” Signed U.S. state domains include Vermont’s vermont.gov, vermonttreasurer.gov, and healthvermont.gov, the state’s health department; Idaho’s idaho.gov and idahobyways.gov from the state’s transportation department; Louisiana‘s lacoast.gov, from the Louisiana Coastal Wetlands Conservation and Restoration Task Force; the Tennessee Valley Authority’s tva.gov; Utah Fire Info, a federal-state partnership; and Virginia.gov.
- From Sweden: Two separate pages display DNSSEC deployment progress among municipal domains and in public sector agencies there, with hundreds of sites listed.
DNSSEC overhead examined
Posted by Denise Graveline in Uncategorized on February 3, 2010
Cricket Liu of Infoblox has posted a second article in his series on DNSSEC overhead. He notes:
…I’ve recommended that organizations deploying DNSSEC watch the CPU load on their recursive name servers carefully: As the proportion of responses that are signed increases, so will the load on their recursors. Ultimately, though, the ever-increasing speed of processors and networks will trump the burden DNSSEC adds. Years from now – assuming DNSSEC becomes widely deployed – we’ll look back at our concerns about the overhead of DNSSEC and chuckle. I hope.
Deployment watch: SWITCH turns on DNSSEC at Domain Pulse meeting
Posted by Denise Graveline in Uncategorized on February 3, 2010
Circle ID reports that SWITCH, the registry for Switzerland’s .CH and .LI, was enabled yesterday at the Domain Pulse conference in Luzern. From the article:
SWITCH became the third ccTLD registry to enable DNSSEC giving registrants of .CH domain names added security following .SE (Sweden) and .CZ (Czech Republic)….At the Domain Pulse conference, Urs Eppenberger of SWITCH and Marc Furrer of the Swiss Federal Communications Commission (ComCom) enabled DNSSEC….”I am particularly proud of the fact that Switzerland is one of the first countries in Europe to introduce DNSSEC. This now guarantees security in the internet” said a delighted Marc Furrer, President of ComCom, in a statement.
Speakers added to DNSSEC FOSE program
Posted by Denise Graveline in Uncategorized on February 2, 2010
New speakers have been added to the Initiative’s daylong session What’s Next in DNSSEC at the FOSE conference and expo in March in Washington, DC. New speakers include representatives from Afilias, BlueCat Networks, Data Mountain Solutions, F5 Networks, Nominum, Secure64 and Xelerance.
Preview: DNSSEC workshop at ICANN Nairobi meeting
Posted by Denise Graveline in Uncategorized on February 1, 2010
ICANN’s Security and Stability Advisory Committee will convene a DNSSEC workshop at the Nairobi meeting on Wednesday, March 10, from 9:00 am to 12 noon. The program, intended for “anyone with an interest in the deployment of DNSSEC, especially registry and registrar representatives from technical, operational, and strategic planning roles,” is still in development. Thus far, updates are expected on these topics:
- Implementation of DNSSEC at the Root
- Operational issues with DNSSEC, including technical presentations on transfers and key rollovers
- Adoption Issues, including experience with hurdles and incentives
- Activities from the region
- Extending DNSSEC deployment
To register or learn more about the ICANN Nairobi meeting, go here.
-
You are currently browsing the archives for February, 2010
Sponsored By
Recent Comments