Archive for January, 2011

Reflecting on the 25th anniversary this week of the Internet Engineering Task Force (IETF), chair Russ Housely pointed to DNSSEC and IPv6 as two standards that represent the group’s strength in anticipating needed standards. He told Computerworld:

Sometimes the IETF sees a need before the marketplace is ready to embrace it. This leads to the standards being in place before the service providers are ready to deploy. DNSSEC and IPv6 are two examples. So working on global deployment of these completed protocols to offer new capabilities is one challenge. Yet the capabilities offered by these protocols is necessary for the continued growth of the Internet as a trusted platform for communications and innovation used by billions of people around the world.<!—->

Responding to a presentation by Dan Bernstein in which “much of his representation of DNSSEC — and his own replacement, DNSCurve — was plainly inaccurate,” security research Dan Kaminsky offered a thorough tutorial about DNSSEC that addressed some of the interpretations and in the Bernstein presentation.

Kaminsky notes that the Bernstein presentation is  “actually a pretty good summary of a lot of latent assumptions that have been swirling around DNSSEC for years — assumptions, by the way, that have been held as much by defenders as detractors.”

DNSSEC’s Problem With Key Rotation Has Been Automated Away
DNSSEC Is Not Necessarily An Offline Signer — In Fact, It Works Better Online!
DNS Leaks Names Even Without NSEC3 Hashes
NSEC3 “White Lies” Entirely Eliminate The NSEC3 Leaking Problem
DNSSEC Amplification is not a DNSSEC bug, but an already existing DNS, UDP, and IP Bug
DNSSEC Does In Fact Offer End To End Resolver Validation — Today
DNSSEC Bootstraps Key Material For Protocols That Desperately Need It — Today
Curve25519 Is Actually Pretty Cool
Limitations of Curve25519
DNSCurve Destroys The Caching Layer.  This Matters.
DNSCurve requires the TLDs to use online signing
DNSCurve increases query latency
DNSCurve Also Can’t Sign For Its Delegations
What About CurveCP?
HTTPS Has 99 Problems But Speed Ain’t One
There Is No “On Switch” For HTTPS
HTTPS Certificate Management Is Still A Problem!
The Biggest Problem:  Zooko’s Triangle
The Bottom Line:  It Really Is All About Key Management

VeriSign announced this week that Arbor Networks, Infoblox and RioRey have completed testing their technology solutions in the VeriSign DNSSEC  Interoperability Lab, which evaluates “how equipment will interoperate in a DNSSEC-enabled environment.”  A10 Networks, BlueCat Networks, Brocade, Cisco Systems and Juniper Networks also have tested their solutions in the lab.

The company also announced it is introducing a new iPhone app, DNSSEC Analyzer, described as a “mobile tool that can assist in diagnosing problems with DNSSEC-signed names and zones. The application will allow a quick diagnosis of any domain name, allowing knowledgeable users to view debugging information and receive useful tips on how to remediate any problems that are discovered.”

VeriSign is expected to complete DNSSEC deployment in .com by the end of the first quarter of this year.  Go here to find more on its efforts to assist DNSSEC deployment.

Japan Registry Services (JPRS) announced January 16 that it has deployed DNSSEC in the .jp country-code top-level domain. The announcement outlined the registry’s deployment process:

JPRS considers that DNSSEC can effectively prevent the security threats caused by bogus DNS responses. Based on this understanding, it has introduced the specifications in Japan and performed testbeds and demonstrations in cooperation with the DNS operators at home and abroad with an aim to deploy DNSSEC. On October 17, 2010, JPRS started signing the JP zone and registered the key information (DS resource record) of the JP zone in the root on December 10, 2010. After confirming that the JP zone was properly validated by the root zone key as a trust point, and that existing DNS infrastructures were not adversely affected, JPRS has completed the deployment of DNSSEC in the JP domain name service this time.

Founder and president of the nonprofit Internet Systems Consortium (ISC) Paul Vixie will now be chairman and chief scientist of the company, with Barry Greene succeeding him as president. In making the announcement, Vixie cited the importance of deploying DNSSEC:

There are two huge technical crises arising simultaneously. The Internet is running out of address space and at the same time the level of criminal activity is increasing sharply. It’s the perfect storm. We need to deploy IPv6 and DNSSEC more or less simultaneously, and we need to develop and deploy, quickly, new technologies and new methodologies to measure and understand what is happening out there. I need to turn my full attention to these pressing and difficult problems…

PowerDNS now offers PowerDNSSEC, an online signing tool that is ready for trial in test zones.  Bert Hubert of Netherlabs Computer Consulting BV notes that “PowerDNS is carrier-grade supported open source. We expect our DNSSEC implementation to be suitable for deployment soonish. PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight  changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts.”

• NSEC
• NSEC3 in ordered mode (pre-hashed records)
• NSEC3 in narrow mode (unmodified records)
• (as discussed here earlier in the week)
• Being a ‘signing-slave’ for legacy hidden master
• Zone transfers (for NSEC)
• Import of ‘standard’ private keys from BIND/NSD
• Export of ‘standard’ private keys
• RSASHA1
• “Pure” PostgreSQL, SQLite3 & MySQL operations
• Hybrid BIND/PostgreSQL/SQLite3/MySQL operation

You can access documentation for PowerDNSSEC and  use a wiki to learn more about PowerDNSSEC configuration, help and known issues.