Archive for October, 2011

ICANN 42 has begun in Dakar, Senegal, running from October 23-28. DNSSEC deployment is featured on the program in two key sessions at the meeting:

• DNSSEC for Everybody–A Beginner’s Guide, taking place on Monday at 16:00, will cover the basic and core concepts of the domain name system and the chain of trust, as well as real-world examples of DNSSEC in action. Presenters include Roy Arends and Simon McCalla of Nominet; Norm Ritchie of ISC; and Russ Mundy of Cobham. An agenda and options for virtual participation are included at the link.
• DNSSEC Workshop, a half-day session beginning at 8:30 on Wednesday,  will look at DNSSEC deployment around the world; share best practices for deployment in ISPs; review top-level domain deployment updates; and discuss blocking and DNSSEC, DNSSEC in the wild, and the  long-term consequences of DNSSEC deployment and IPv6.  The panels will include speakers from AFTLD, Cobham, CZNIC, DENIC, Global Cyber Security Center, ICANN, IKS-JENA, ISC, .KE, .NA,  NIC.FR,  NSRC/TRSTECH and AfriNIC, PIR/Afilias, Shinkuro, .SN, and VeriSign. Presentations, an agenda and remote participation options are at the link.

In congressional testimony on the security implications of cloud computing,  John Curran, President and CEO of ARIN, the American Registry for Internet Numbers, noted the importance of DNSSEC and IPv6 in securing the cloud:

These new standards are quite important in protecting the global Internet from cybercrime, in that they insure that Internet users reach the actual web site that they intended to, and that their communication is protected in the process. When it comes to agency use of cloud computing services, these protections are equally important, since these services are reached over the public Internet.

Curran said it is “crucial” that the Federal Risk and Authorization Management Program or FedRAMP program “clearly and unambigously incorporates DNSSEC and IPv6.”  He testified before the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the House Homeland Security Committee,

NANOG, the North American Network Operators’ Group, convenes its 53rd meeting in Philadelphia beginning Sunday, October 9, followed by the 27th meeting of ARIN, the American Registry of Internet Numbers. DNSSEC-related sessions on the NANOG program include:

• A DNSSEC tutorial on Sunday, October 9, led by Verisign’s Matt Larson; and
• A tutorial titled “You can’t do that with nslookup: DNS(sec) troubleshooting,” led by Michael Sinatra of the University of California, Berkeley.

October and November bring more learning opportunities about DNSSEC, including these sessions:

• LACNIC, the Latin American and Caribbean Internet Addresses Registry, convenes LACNICXVI October 3-7 in Buenos Aires, with a DNSSEC tutorial earlier this week on October 3. NLNet Labs’ Olaf Kolkman, the workshop leader, has announced his goal that 2/3 of the workshop attendees turn on DNSSEC validation, and 1/3 sign their zone.
• The Internet Society’s Internet On conference in Buenos Aires October 5 includes a session on a new ISOC initiative to “create and promote resources that are easy to understand and quickly actionable by the very IT professionals responsible for the implementation of new technologies like IPv6 and DNSSEC.”
• Portugal’s .PT is sponsoring a cycle of fall workshops, including two on October 19 and November 18. The workshops are designed for professionals in the banking, public administration and judicial sectors.
• ICANN 42, taking place October 23-28 in Dakar, Senegal, is expected to include DNSSEC workshops; the workshop schedule has not yet been released.

A white paper issued by Cisco, “Preparing for DNSSEC: Best Practices, Recommendations, and Tips for Successful Implementation,” reviews best practices for implementing DNSSEC in a network infrastructure and includes configurations for Cisco software, platforms and devices. The step-by-step instructions, aimed at Cisco-using network administrators, also include insights from internal testing performed by Cisco Security Research & Operations, such as how different versions of Cisco products will affect validation. Authors John Stuppi  and Joseph Karpenko are members of the Applied Intelligence team in Cisco’s Security Research & Operations organization.

Mark Minasi’s Windows Networking Tech page reports on what he learned at Microsoft’s recent BUILD conference about Windows Server 8. He notes that DNSSEC “gets more useful” in this version:

….DNSSEC is an up-and-coming technology that many of you will want to implement on your networks, and you also know that while Microsoft implemented DNSSEC in Windows Server 2008 R2 and Windows 7, their implementation was a bit uneven.  You must sign your zone by taking it offline and running a few pretty long, ugly DNSCMD commands.  It can’t validate zones that use the March 2008 RFC that introduces NSEC3, an inn0vation that most important zones are using.

With W8S, that changes.  Its new DNS does NSEC3 and can be configured to automatically sign your zones as they change.  Haven’t had time to try it out but it sounds pretty good.