February 22, 2013 archive

Feb 22

Canada Joins The DNSSEC World – Sign Your .CA, Eh?

Toy beaver from .CACongratulations to our friends up North in Canada for the DNSSEC signing of the .CA domain, joining the ever-growing list of top-level domains (TLDs) that are securing their DNS records with DNSSEC!  As Jacques Latour of the Canadian Internet Registration Authority (CIRA) outlined in a CIRA blog post they took some time to ensure their system was resilient:

We wanted to create a comprehensive DNSSEC validation process, so we took a different approach to sign .CA that takes into account several known DNSSEC-related issues that affect its operation. Our approach addresses these issues, and we believe we have developed a resilient solution that will result in high availability/no outages.

We created dual independent signing engines using Bind and OpenDNSSEC. There were a few challenges along the way. For example, Bind and OpenDNSSEC produce different, although valid signed zone files and both handle signing differently. These challenges, though, were worth overcoming. The end product will not only be an improved system for .CA, but we’re blazing a new trail here – the global Internet community will benefit from this work.

It’s great that CIRA went through this effort and we look forward to learning from them as they share more information about what they did.

Now, publishing the signed .CA zone is just the first step in enabling DNSSEC for .CA domains.  They still have some work to do before they can begin accepting DS records from registrars that support DNSSEC.  Their stated goal is to complete that work this year so that in 2014 they can begin accepting signed domains.

In the meantime, we’ve been told that people who can sign and host their .CA domains can contact CIRA at  cira-dnssec@cira.ca to find about how to manually get their DS record into the .CA zone.

This is great work and we look forward to seeing more about DNSSEC and .CA over this year.  CIRA has published a DNSSEC page with information. Over on Dark Reading, David Schwartzberg also wrote about Canada joining the DNSSEC party.

Congrats, again, to Jacques Latour and the whole team at CIRA!

P.S. And yes, I did pick up the toy beaver in the photo from a .CA booth at a conference… having lived in Canada for 5 years I enjoy that the .CA team can have some fun with some of the Canadian stereotypes. :-)

Feb 22

SANS Seeking IPv6 Security Stories/Tools For “IPv6 Focus Month” In March

ISC Diary LogoGot an IPv6 security problem you’d like to share? A solution to an IPv6 security problem that you want to tell others about? If so, the team behind the Internet Storm Center (ISC) would love to share your stories as part of their IPv6 Focus Month they are planning for March 2013.  Johannes Ullrich of the SANS Technology Institute (the organization behind the ISC) wrote that they are seeking articles about:

  • a security problem you ran into with IPv6
  • a solution to a security problem (even better)
  • a tool that works really well (or not at all) with IPv6
  • a way to solve an IPv4 security problem by switching to IPv6

Articles – or just ideas – can be submitted via the ISC contact form or to handlers@sans.edu.

We applaud this initiative from SANS and we look forward to seeing what IPv6 security stories they highlight in March – and we may do what we can to further help spread the news about tools and services they promote.

If you’ve got an idea, please do send it in to the ISC team – it’s great to get more info about IPv6 security out there!