Archive for October, 2010

VeriSign has shared its plans for deploying DNSSEC in the .net and .com operational community. Matt Larsen of VeriSign issued the following schedules today:

The .net DNSSEC deployment consists of the following major milestones:

September 25, 2010: The .net registry system was upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.net. These DS records will not be published in the .net zone until
the .net zone is actually signed. Each registrar will implement
support for DNSSEC on its own schedule, and some registrars might be
accepting DS records for .net domains now.

October 29, 2010: A deliberately unvalidatable .net zone will be
published. Following the successful use of this technique with the
root DNSSEC deployment, VeriSign will publish a signed .net zone with
the key material deliberately obscured so that it cannot be used for
validation. Any DS records for .net domains that have been submitted
by registrars will be published in the deliberately unvalidatable
zone.

December 9, 2010: The .net key material will be unobscured and the
.net zone will be usable for DNSSEC validation. DS records for .net
will appear in the root zone shortly thereafter.

The .com DNSSEC deployment will occur in the first quarter of 2011 and
will consist of the following major milestones:

February, 2011: The .com registry system will be upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.com. These DS records will not be published in the .com zone until
the .com zone is actually signed.

March, 2011: A deliberately unvalidatable .com zone will be published.
Any DS records for .com that have been submitted by registrars will be
published in the deliberately unvalidatable zone.

March, 2011: The .com key material will be unobscured and the .com
zone will be usable for DNSSEC validation. DS records for .com will
appear in the root zone shortly thereafter.

The trinity:~shyam$: Inside Mozilla IT blog shared this look at “Implementing DNSSEC for mozilla.org,” noting that DNSSEC deployment was an internal goal last quarter.  Author Shyam “is the only person on the Mozilla IT team outside the USA,” and walks readers through nine steps of deployment with his tips and advice. He notes:

I’ve never had a chance to work hands on with DNS in a large setup…it has always been “managed” DNS and that was never much of a challenge. DNSSEC was an awesome goal to work on and I had a lot of fun working on it. At first sight, DNSSEC is a little daunting – fairly new technology with a gazillion specs and RFCs but once you get a hang of the concepts, it’s easy to work with.

The author plans on a “starting from scratch to DNSSEC ready” article next.

“Now is an opportune time for applications to begin to take advantage of some of the benefits that DNSSEC provides.”  That’s the message in a plenary session for app developers on DNSSEC at AppSec DC 2010,  a conference sponsored by The Open Web Application Security Project (OWASP) next month, November 10 and 11, in Washington, DC. 

Initiative partner Suresh Krishnaswamy of Sparta, Inc. will lead this November 10 session on “Providing application-level assurance through DNSSEC.”  It will include information on:

• A Firefox browser extension that supports various DNSSEC indicators;
• An API that has been developed and the modifications made to the application user interface;
• Encouragement for application developers to consider DNS security implications in their Internet and web applications.

Go here to register and learn more about the conference.

The Sandia National Lab DNS visualization tool, DNSViz, now has a new contact form through which you can share feedback on the tool.  Share your comments at http://dnsviz.net/contact/.

.ORG, the Public Interest Registry, has launched a “Practice safe DNS” campaign as part of the U.S. National Cyber Security Awareness Month, with the goal to “serve as a key resource for domain holders, registrars, web developers and IT professionals to learn how they can respectively play a increasingly relevant role in providing a safer and more secure Internet.”

The site includes video testimonials from Vint Cerf of Google, Initiative partner Steve Crocker of Shinkuro, Inc., Jim Galvin and Ram Mohan of Afilias, Dan Kaminsky of Recursion, and Cricket Liu, of Infoblox.  The campaign also is active on Facebook and Twitter.  The introductory video appears above.

Comcast has begun migrating customers to DNS servers using DNSSEC protections as part of its production roll-out of DNSSEC. Comcast executive director for Internet systems Jason Livingood tells us, “So far this year, our production deployment trial has been opt-in only.  Starting [this week], customer DNS IP addresses will start to change via DHCP lease updates.”  The announcement notes that:

Best of all, customers will not need to take any action and should not notice any changes to their service, though behind-the-scenes that service will be more secure. As the first major Internet Service Provider (ISP) to do so in the United States, our customers are among the first to be getting these new security capabilities, which is part of our continuing push for a more secure Internet experience for both our customers as well as the global Internet.

Livingood also notes that, as part of the roll-out, “we have deliberately broken DNSSEC for a domain so we and others
can test what happens when validation breaks.”  The results are here.

Comcast also has made available a DNSSEC public service announcement for its customers, featuring G4 Network’s “Attack of the Show” co-host Kevin Pereira:

DNSviz, a new tool from Sandia National Laboratories, aims to help users visualize the status of a DNS zone, showing DNSSEC authentication chain for a particular domain name and its resolution path in the DNS namespace. Designed as an aid in understanding and solving problems in DNSSEC deployment, the tool also lists configuration errors it detects.  (Above, part of the analysis for dnssec-deployment.org.)  Feedback is encouraged for the new tool.

Comcast has announced it will contribute $15,000 to an NLnet Foundation grant program designed to help open-source developers add DNSSEC features to their applications, in an effort to “help fund some developers to start working on DNSSEC-aware applications, and motivate others to do the same.”

NLnet describes the vision behind the fund this way:

Of course it is already a big win that the chain can henceforth be trusted up to the point where providers relay the answer to the client. But this is not good enough for perfectly normal use such as using a (potentially hostile) public wifi hotspot: for end users to fully benefit from DNSSEC in such cases, the software on the end user side should be able to validate DNSSEC signatures as well – especially on sensitive data like digital security keys and certificates. Most (but not all) applications depend on higher level services to handle DNS, which means that these service stacks need to be updated in all operating systems. Specific client software using their own built-in DNS services, like realtime communication software (e.g. SIP, XMPP), messaging servers and browsers, also will need to be adapted.

Comcast’s executive director for Internet systems, Jason Livingood, noted:

As Comcast and other ISPs implement DNSSEC, and domain owners start to cryptographically sign their domains, we can see a point in the near future where applications may start to show end users some indication that a domain has been secured with DNSSEC. This may be much like a web browser shows a special lock icon when a user visits a website secured with SSL.

Go here for more information or to apply for a grant.

Five Caribbean top-level domains have successfully deployed DNSSEC, including .ag (Antigua and Barbuda), .bz (Belize), .hn (Honduras), .lc (Saint Lucia), and .vc (Saint Vincent and the Grenadines).  The five TLDs are managed by Afilias.

ICANN research also offers this Venn diagram with updated statistics on top-level domain deployment of DNSSEC.  As of this writing, it reports:

dnssec.net has published the views of nine top executives and organizations on “DNSSEC Advantage: Reasons for deploying DNSSEC.”  Each viewpoint includes a look at the significance of steps leading toward deployment and asks questions about what lies in the future.

The series includes contributions from:

• Jeremy Hitchcock,CEO, Dyn, Inc.
• Warren Adelman, President and Chief Operating Officer, The GoDaddy Group
• Olaf Kolkman, Director, NLNet Labs
• Roland van Rijswijk, Technical Product Manager, SURFnet
• Paul Vixie, President, Internet Systems Consortium
• Anne-Marie Eklund Lowinder, Quality and Security Manager, .SE
• Mark Beckett, Vice President of Marketing, Secure64 Software Corp.
• Ron Aitchison, Author, Pro DNS and BIND
• European Network and Infomation Security Agency (ENISA)