Archive for January, 2012

As more TLDs are signed and more ISPs provide validation, a greater focus is being placed on DNSSEC at the client. Client activities include DNSSEC-aware applications, DNSSEC-aware resolution libraries, and validating local resolvers for times when either the ISP doesn’t provide DNSSEC validation or the last mile between the ISP’s resolver and the client can’t be trusted.

The Internet Societys’s Deploy360 Programme has recently put up a list of developer libraries and is soliciting additional input from the community on other libraries.

Members of the DNSSEC Deployment Initiative have been using NLnet Labs’ Dnssec-Trigger on Mac and Windows systems to provide local DNSSEC validation.

so be good for goodness sake.

As reported on the DNSSEC-deployment mailing list (subscribe here), Comcast is analyzing the major DNSSEC failures they’re seeing and publishing the results for the benefit of the community.

The first such failure to be analyzed occurred on the 18th, coincident with the web-wide protests against SOPA and PIPA, with NASA.gov.  The report (770KB PDF) was published on Comcast’s DNSSEC Information Center.

As an early adopter of DNSSEC, we remain committed to helping other implementers learn from our experiences.

The Internet Society Deploy360 Programme is a new initiative that provides real-world IPv6, DNSSEC, etc. deployment information. Deploy360 aims to bridge the gap between the IETF standards process and final adoption of those standards by the global operations community. Deploy360 creates and promotes resources that are easy to understand and quickly actionable by the very IT professionals responsible for the implementation of new technologies and standards like IPv6 and DNSSEC.

Check out the Internet Society’s  Deploy360 Programme and its DNSSEC content.

The Internet is on strike.  Among the many web sites making their position known, Wikipedia’s English language site is offline (or, hard to get to):

Google has censored their name on their home page and in search results:

All this is in protest to the United States’ proposed Stop Online Piracy and Protect IP Acts.  Outside of the battle of free speech versus intellectual property and the potential chilling effects of these bills, the technical enforcement methods in these bills include monkeying with DNS in a way that breaks DNSSEC.

We’ve reported on the issue before, here and here.  On Saturday, the White House showed that they understand:

We must avoid creating new cybersecurity risks or disrupting the underlying architecture of the Internet. Proposed laws must not tamper with the technical architecture of the Internet through manipulation of the Domain Name System (DNS), a foundation of Internet security. Our analysis of the DNS filtering provisions in some proposed legislation suggests that they pose a real risk to cybersecurity and yet leave contraband goods and services accessible online. We must avoid legislation that drives users to dangerous, unreliable DNS servers and puts next-generation security policies, such as the deployment of DNSSEC, at risk.

We’ve reached another milestone in the deployment of DNSSEC.  Jason Livingood from Comcast writes:

I am pleased to announce that Comcast, the largest ISP in the U.S., is the first large ISP in the North America to have fully implemented Domain Name System Security Extensions (DNSSEC). As part of our ongoing efforts to protect our customers, DNSSEC is now automatically included as part of Comcast Constant Guard™ from Xfinity.

Read more on the Comcast Blog.