Archive for April, 2010

EDUCAUSE notes that registration is almost full for its April 29 webinaron DNSSEC in the .edu Domain, featuring Becky Granger, EDUCAUSE director of information technology and member services, and host Steve Worona.  You’ll find additional background resources and links on DNSSEC on the webinar registration page.

Two speakers from the DNSSEC Deployment Coordination Initiative–Shinkuro CEO Steve Crocker and U.S. National Institute of Standards and Technology computer scientist Scott Rose–will speak at Internet2’s Spring 2010 meeting next week in Arlington, VA, as part of a panel on DNSSEC.   Joining them will be Shumon Huque of the University of Pennsylvania; Anthony Iliopoulos of Louisiana State University; and Rodney Peterson of EDUCAUSE.  The meeting will take place April 26-28 at the Crystal Gateway Marriott in Arlington; go here for registration and more details.

Afilias Executive Vice President and Chief Technology Officer Ram Mohan urged registrars, registries, ISPs, enterprises and developers to get a DNSSEC strategy in a blog post today, noting that “DNSSEC is not pie-in-the-sky talk any more. It’s a reality as current and pressing as the need to migrate to IPv6…if you haven’t started planning for DNSSEC yet, you should start to wonder whether you’re behind the curve.”  For application developers, he looks ahead, noting, “DNSSEC creates an entirely new piece of Internet infrastructure upon which software developers can apply their ingenuity. Over the next few years we should expect to see applications leveraging domain name security in ways we cannot imagine now.”  The post includes a video and an overview of recent progress toward DNSSEC deployment.

The Internet Protocol Journal has just published an article about Rolling Over DNSSEC Keys, authored by George Michaelson and Geoff Huston of APNIC; Patrick Wallström of .SE; and Roy Arends of Nominet.  The editor notes that the article examines “what happens in two widely used DNS resolver implementations when DNS clients lag behind in synchronizing their local copy of trust keys with the master keys used by the zone administrators to sign their DNS data.”  Here’s what the authors conclude: 

….in this situation of slippage of synchronized key state between client and server, the effect is both local failure and the generation of excess load on external servers—and if this situation is allowed to become a common state, it has the potential to broaden the failure state to a more general DNS service failure through load saturation of critical DNS servers.

This aspect of a qualitative change of the DNS is unavoidable, and it places a strong imperative on DNS operations and the community of the 5 million current and uncountable future DNS resolvers to understand that “set and forget” is not the intended mode of operation of DNSSEC-equipped clients.

Network World reports this week that “Top U.S. domain name registrars lag on DNS security,” noting that:

….none of the top 10 domain name registrars in the United States has committed to a deadline for deploying DNSSEC….only four responded to queries about the status of their DNSSEC deployments. None of these registrars would commit to a deadline for when they will support this new security mechanism.

The article includes comments from Network Solutions, Dotster, GoDaddy and eNom.