Archive for June, 2010

In DNSSEC Deployment Among ISPs: The Why, How and What, Lauren Price of .org interviews “the DNS gurus at Comcast to see what they’ve learned and what advice they would give other ISPs considering DNSSEC deployment.” The post answers such questions as “What is the benefit to an end user when an ISP supports DNSSEC?” and “What advice would you give other ISPs?”  Specific lessons from Comcast’s testing of DNSSEC are included.

Members of the DNSSEC Deployment Coordination Initiative will move from the ICANN meeting in Brussels to a special two-day DNSSEC Awareness and Planning Workshop in Rome on June 30 and 31.  The workshop, to be held at the Global Cyber Security Center as its first major initiative, intends to “promote the adoption of DNSSEC globally, with a focus on key sectors in Italy and in neighboring countries in Europe, the Middle East and North Africa.”  Speakers will share experiences from Italy, Sweden, the United Kingdom, the Czech Republic, Portugal, the United States and more.

(Editor’s note:  In this post, Russ Mundy, principal networking scientist at Cobham Analytic Solutions and member of the ICANN Security and Stability Advisory Committee, reflects on this week’s DNSSEC workshop at the ICANN meeting.  A longtime participant in the global effort to move DNSSEC to deployment, Mundy is among the partners in the DNSSEC Deployment Coordination Initiative.)

Wednesday at the Brussels ICANN meeting was an exciting day for folks interested in DNSSEC deployment. There had been quite a build up for the DNSSEC Workshop including remarks by ICANN CEO, Rod Beckstrom, in his opening speech for the Brussels meeting.

There were over thirty presenters and panelists from around the globe that contributed their experiences, issues and ideas related to deployment of DNSSEC. A panel format was used to lead both in-room and remote discussions. The panels included Registry and Registrar issues, ISP and Resolver issues, Tools for DNSSEC, presentations of activities from around the region (even a few t-shirts handed out) as well as presentations on signing of the root zone. As noted in other blog entries, there were a number of DNSSEC announcements made at and around the workshop that further added to the enthusiasm and excitement.

This workshop had another milestone in that eight organizations agreed to sponsor lunch for workshop participants. So, the workshop participants received a sizable dose of DNSSEC and a free lunch.

I’m not sure who started the phrase “This is the end of the beginning for DNSSEC” but I heard it from a number of people. Almost as if to drive the point home to this humble DNSSEC enthusiast, I found that the Internet service provider for the hotel where I stayed for the meeting manipulated DNS such that I was not able to use DNSSEC at all
from my hotel room. These are, indeed, exciting times for DNSSEC deployment but there are still many things that need to be done by many people and organizations to make DNSSEC ubiquitous – but it sure is nice to have reached the “end of the beginning.”

ICANN has begun the process of putting delegation signer (DS) records into the root zone for those top-level domains (TLDs) that have signed their zones.  By the time the root is signed with a live key in mid-July, the root should be populated with the DS records of all of the TLDs that have signed their zones.  The process began this week with the DS records for Brazil (.br), the Czech Republic (.cz) and the United Kingdom (.uk); all three are now visible in the root zone.  Go here for a useful table showing the status of TLD deployment of DNSSEC.

Steve Crocker and Alexa Raad at ICANN press conference

As the ICANN Brussels meeting continues, here are more updates on DNSSEC-related activities and announcements happening there:

• Full details from the ICANN/.org joint announcement that the generic top-level domain is the first to fully deploy DNSSEC are now available, including the news release, video and photos of the news conference.
• Yesterday’s DNSSEC workshop now can be reviewed in online presentations, a transcript, and archived virtual meeting room files you can download.
• In “DNSSEC Becomes a Reality Today at ICANN Brussels,”   Afilias executive vice president and CTO Ram Mohan reports that more than two dozen organizations’ DNSSEC efforts were presented yesterday. He noted that among yesterday’s announcements, “Go Daddy publicized its commitment to DNSSEC at the ICANN meeting, telling a crowded meeting hall that it will offer a managed DNSSEC service to its customers later this year. An additional 11 registrars have completed operational testing to offer DNSSEC-signed .ORG domains to their customers.”

The Asia Pacific Top-Level Domain Association will include a DNSSEC workshop in its next members’ meeting in Colombo, Sri Lanka, June 27-28.  Also included will be workshops on IPV6, DNS operations and protecting your systems against security threats.  Go here to see the DNSSEC workshop training syllabus.

With a strong DNSSEC focus in its sessions, including today’s DNSSEC workshop, the ICANN Brussels meeting is the site of several announcements and activities related to domain name security, including:

• The .org top-level domain is the first to deploy DNSSEC as of this morning.  In a related announcement, the Internet Society became the first .org domain to deploy DNSSEC, for its ISOC.org domain.  See coverage here and here.
• .eu also deployed DNSSEC, it was announced this week.
• The Finnish Communications Regulatory Authority announced it will deploy DNSSEC, testing it this summer and putting it into production in autumn 2010.
• The DNSSEC deployment world map also was updated.

Today’s DNSSEC Workshop at ICANN has a packed agenda. Go here for details, including audiocasts, chat, and transcripts.  Topics to be covered include:

DNSSEC Workshop
DPS Framework: DNSSEC Policy and Practice Statement Framework
.ORG Transfer Tests Lessons Learned
DNS/DNSSEC and Domain Transfers: Are They Compatible?
Addressing DS Transfer: NSDS
DNSSEC.CZ
Deploying DNSSEC: Lessons Learned
Overview of Comcast’s DNSSEC Work
DNSSEC Resolving at SURFnet
PowerDNSSEC: A Different Way of Doing Authoritive DNSSEC
Overview of Open Source Tools for DNSSEC
DNSSEC Progress in .UK
DNSSEC Implementation – Julien Adam
DNSSEC Rollout Status
The .DE DNSSEC Testbed
.EU DNSSEC Deployment
DNSSEC Deployment in .PT
Starting DNSSec Deployment for .RU
Completing the Chain of Trust – Lance Wolak
Completing the DNSSEC Chain of Trust – Olaf Kolkman
Considerations in User Interface Design for DNSSEC
DNSSEC: Go Daddy Implementation
PIR – DNSSEC Chain of Trust
DNSSEC: A Foundation for Increasing Confidence in the Internet
DNSSEC for the Root Zone

ICANN chief executive Rod Beckstrom opened the ICANN Brussels meeting this week calling for cooperation in achieving DNS security. Noting that ICANN “cannot resolve these issues alone,” he said:

We need to work within our family of organizations, large and small, formal and informal, to draw on the wealth of expertise around us.

Go here to read the entire speech.  Several sessions at this week’s meeting will focus on DNSSEC, including today’s session on DNSSEC Vulnerabilities and Risk Management: A Discussion with the Experts, featuring Initiative partner and Shinkuro CEO Steve Crocker.

Coverage of today’s key signing key ceremony in Culpeper, Virginia, includes these articles:

• ICANN describes the ceremony in this post, noting “Ceremony participants referred to an extremely detailed checklist and were able to confirm that every aspect of the process was executed exactly as planned. The entire event was video-recorded simultaneously by three separate cameras, and ICANN arranged for the whole system to be subject to a SysTrust audit, a process supported by the archived, unedited video footage and the legal attestations of key participants.”  Documentation also will be published by ICANN.
• Network World’s Carolyn Duffy Marsan, in “DNSSEC security reaches ‘key’ milestone,” included comments from Initiative partner and Shinkuro CEO Steve Crocker, an observer at today’s ceremony.  He noted, “People from all over the world will be part of the process of creating the key for the top level of the DNS…They will witness and be able to report that the proper procedure was carried fairly and scrupulously.”
• Larry Seltzer, writing on PC World’s blog, titled his post, “Happy DNSSEC Day: The root is signed.”  He noted, “A few years ago I wrote a column elsewhere dismissing DNSSEC as a realistic solution because of the profound obstacles impeding it. At the time it seemed that signing the root zone was itself politically impossible, but ICANN and other responsible parties were able to alleviate concerns.”

ICANN has released the list of trusted community representatives who will participate in the root key generation and signing ceremonies, the first of which will take place tomorrow, June 16, in Culpeper, Virginia.  (An FAQ on the trusted community representatives can be found here.)  Following is the complete list, although ICANN notes that backups may be called in if needed:

Crypto Officers for the US East Coast Facility

• Alain Aina, BJ
• Anne-Marie Eklund Löwinder, SE
• Federico Neves, BR
• Gaurab Upadhaya, NP
• Olaf Kolkman, NL
• Robert Seastrom, US
• Vinton Cerf, US

Crypto Officers for the US West Coast Facility

• Andy Linton, NZ
• Carlos Martinez, UY
• Dmitry Burkov, RU
• Edward Lewis, US
• João Luis Silva Damas, PT
• Masato Minda, JP
• Subramanian Moonesamy, MU

Recovery Key Share Holders

• Bevil Wooding, TT
• Dan Kaminsky, US
• Jiankang Yao, CN
• Moussa Guebre, BF
• Norm Ritchie, CA
• Ondřej Surý, CZ
• Paul Kane, UK

Backup Crypto Officers

• Christopher Griffiths, US
• Fabian Arbogast, TZ
• John Curran, US
• Nicolas Antoniello, UY
• Rudolph Daniel, UK
• Sarmad Hussain, PK
• Ólafur Guðmundsson, IS

Backup Recovery Key Share Holders

• David Lawrence, US
• Dileepa Lathsara, LK
• Jorge Etges, BR
• Kristian Ørmen, DK
• Ralf Weber, DE
• Warren Kumari, US