Archive for November, 2010

Japan’s registry service, JPRS, has announced it will introduce DNSSEC in .jp domain name services in mid-January 2011.  It noted:

JPRS regards DNSSEC as the most effective and feasible current solution against the security threats caused by frauds of DNS responses. Based on this view, JPRS has researched and developed the method of implementing DNSSEC into large-scale zones, while discussing operational technology and roadmap toward diffusion through collaboration with DNS-related parties from home and abroad.

At present, we are conducting tests and reviews of specifications in order to implement DNSSEC, as well as performing technological evaluation with a wide range of DNS-related parties listed below.

In addition to deploying DNSSEC in .jp and the domain name services it provides, JPRS will be “conducting promotional and educational activities and providing information to different DNS-related parties categorized as follows.”

Top-level domains for  Gibraltar (.gi), Mongolia (.mn), and the Seychelles (.sc) are now DNSSEC-enabled, Afilias has announced.  The move is part of “Project Safeguard” at Afilias, which now has 11 secured TLDs on its registry platform.

SIDN, manager of The Netherlands’ .nl zone and ENUM NL, has published the public key for .nl in the root and created a “Friends & Fans” program to encourage DNSSEC deployment and gain practical experience with the security extensions.

DNSSEC-experienced registrants now have “the option of publishing the ‘public keys’ for a small number of domain names,” and including them in the .nl zone file, beginning with sidn.nl, gigaport.nl and surfnet.nl.

SIDN CEO Roelof Meijer noted:

The Friends and Fans program is the next step towards the introduction of DNSSEC for all .nl domain names. That goal should be achieved by the end 2011. Over the last few months, we have seen market interest in DNSSEC really start to take off: about 60 TLDs (top-level domains) are now signed, compared with just 20 at the start of the year. In March 2011, .com is going to be signed as well, and we fully anticipate still greater interest in DNSSEC before the year is out.

At BlackHat in Abu Dhabi yesterday, security researcher Dan Kaminsky released “Phreebird,”  a free toolkit designed to show organizations how easy DNSSEC is to implement by letting them try it out.  Dark Reading notes:

The goal is to show how DNSSEC could be used to “bootstrap” trust — a.k.a. authentication — across organizations, he says, authenticating clients, business partners, customers, contractors, and other groups with one another….Kaminsky hopes to dispel concerns that DNSSEC will be complex, disruptive, and expensive to deploy in organizations. “Application developers don’t want to be cryptography experts,” Kaminsky says. “They just want the key … and to move on.”

You can find the new toolkit on the BlackHat website.

 IETF convened in Beijing, China, and DNSSEC’s deployment in Asian nations took center stage, including these steps forward:

• Afilias will collaborate with .asia to bring DNSSEC implementation to the domain. The DotAsia Organization oversees the “.Asia” top-level Internet domain name, and is a regional consortium that includes .cn (China), .jp (Japan), .kr (Korea), .in (India), .nz (New Zealand), and .ph (Philippines),  as well as the regional Internet organizations APNIC, APNG, APCERT, PAN and APTLD.
• DNSSEC is enabled for India’s .in top-level domain, Afilias announced.  The .in TLD represents more than 700,000 domains.
• AFNIC announced that the .wf top-level domain for the South Pacific island territory Wallis and Futuna has been signed with DNSSEC.

In other news, the registry for .eu top level domains (TLDs) EURid reports that 87% of the world’s TLD internet operators have yet to deploy DNSSEC.

ICANN’s Interim Trust Anchor Repository (ITAR), designed to help move DNSSEC deployment forward before the root zone was signed, is now being retired.  As of November 4, no new listings will be accepted. Existing listing are expected to be removed around November 18, and the entire service will stop in January 2011, ICANN announced.

Dozens of early DNSSEC-adopting top-level domain operators were able to use the ITAR to publish their trust anchor in absence of a signed DNS root zone. ICANN notes that the ITAR supported more than 100 such listing requests during its lifetime.