Category: DNSSEC

Dec 26

Fun Intro to DNSSEC Video From the Norid Team

As part of the signing of .NO with DNSSEC, the Norid team came out with a clever video explaining how DNSSEC works. Now, it’s all in Norwegian so I personally can’t understand any of the words… but  you get the idea and the animation is well-done.  Kudos to the Norid team for creating the video:

If you’d like an English video explanation of DNSSEC, you can check out this one from the folks at Shinkuro a few years back:

And if you’d like to get started with DNSSEC yourself, please head on over to our Start Here page to find resources to help you begin!

Dec 22

Jim Galvin Writing About DNSSEC On CircleID

Jim GalvinWe’ve been very pleased to see Dr. Jim Galvin of Afilias writing a series of articles about DNSSEC over on Circle ID.  Jim has been a long-time friend and supporter of the Deploy360 Programme and has spoken multiple times at our ION conferences. (For example, he spoke at our recent ION Belfast event.)  Jim was also involved with the recent sponsorship of our ION conferences by Afilias.

Anyway, over at CircleID Jim started a series of articles about different aspects of DNSSEC. His articles thus far include:

The three articles provide a good overview of the current state of DNSSEC.  His third article, in particular, dives into an issue that has not been widely discussed – the potential 5-day waiting period during the transfer or a domain between registrars. As Jim notes:

In pre-DNSSEC days this technical issue would resolve itself relatively benignly. However, post-DNSSEC, if the domain name in question is DNSSEC signed, the failure of the domain name to DNS resolve (and hence, validate) results in a security incident. The previously benign “site not found” becomes a scary “you don’t want to go there” message, potentially damaging the credibility and brand of the domain name owner.

He goes on to note what needs to be done to address this issue and concludes:

The current business practices around this transfer policy require urgent coordination amongst registrars so that effective DNSSEC deployment can happen without an impact to the end-user or the domain name owner.

We agree that this is a concern when transferring domains and do hope to see this kind of coordination happening among registrars.

We also hope to see Jim continue writing detailed articles like these over on CircleID.  You can see his writing there on his author page at CircleID.

And if you’d like to learn more about DNSSEC, please visit our Start Here page to begin!

Dec 19

Norway’s .NO Passes 22,000 DNSSEC-signed Domains

It’s fun watching on Twitter as Norway’s .NO grows in the number of DNSSEC-signed second-level domains. Norid’s Unni Solås tweeted out today that they had passed 22,794 signed .NO domains – and also provided an explanation for this ongoing growth:

Congrats to the Norid team – it’s great to see the growth… you may recall that only a week ago we wrote about .NO crossing the 5,000 signed domain mark!  Quite a good increase in the space of only a week! Given that Norid’s main page states there are 650,211 .NO domains in total, this brings them to about 3.5% of all .NO domains being signed with DNSSEC.   Not a bad start for a newly signed domain.

Norid has also published its “DNSSEC Policy and Practice Statement (DPS)” that outlines their policies and procedures.  We’ve added that to our list of DPS documents that can be found at:

http://www.internetsociety.org/deploy360/resources/dnssec-practice-statements/

If you are with a top-level domain, or even with an enterprise seeking to sign your own domain(s), these DPS documents can be useful to understand the degree of security that some TLDs are undertaking.

Congrats again to the Norid team and we’ll look forward to seeing their continued growth!

P.S. If you want to sign your domain with DNSSEC or enable DNSSEC validation on your network, please visit our Start Here page to find resources aimed at your type of organization or role.

Dec 18

ICANN Seeking Volunteers For DNSSEC Root KSK Rollover Plan Design Team

ICANN.jpgDo you want to help ICANN plan the best was to roll the root key used for DNSSEC?  Are you interested in being considered as a volunteer member of ICANN’s Root KSK Rollover Plan Design Team?  Recently ICANN staff sent a message to the public dnssec-coord mailing list and other various mailing lists asking for volunteers.  The “Solicitation of Statement of Internet for Membership in the Root Zone Key Signing Key Rollover Plan Design Team” (say that 10 times fast!) begins:

ICANN, as the IANA functions operator, in cooperation with Verisign as the Root Zone Maintainer and the National Telecommunications Information Administration (NTIA) as the Root Zone Administrator, together known as the Root Zone Management (RZM) partners, seek to develop a plan for rolling the root zone keysigning key (KSK). The KSK is used to sign the root zone zone-signing key (ZSK), which in turn is used to DNSSEC-sign the Internet’s root zone. The Root Zone Partners are soliciting five to seven volunteers from the community to participate in a Design Team to develop the Root Zone KSK Rollover Plan (“The Plan”). These volunteers along with the RZM partners will form the Design Team to develop The Plan.

The document goes on to list the requirements and the process.  Essentially, if you meet the requirements you need to send a message with the requested information to ksk-rollover-soi@icann.org by the end of the day on Friday, January 16, 2015.  The Root Zone Management partners will then choose from among the applicants to form the Design Team.

We’ve written here before about how incredibly important it is to get the Root KSK Rollover right, and so we commend ICANN for going through this process to create an appropriate Design Team.  We would encourage people with operational knowledge of DNSSEC and DNS in general to definitely read over the document and consider applying!

P.S. And if you don’t know about DNSSEC, or want more information, please visit our Start Here page to find out how to begin!

Dec 17

BT Releases Results of 2014 DNSSEC Survey

BT-Diamond-IP-2014-DNSSEC-SurveyBT Diamond IP just published the results of their 2014 DNSSEC survey and the report is available for all to download for free.  Back in October, I’d encouraged people to take the survey to help gain an understanding of DNSSEC deployment and BT’s Tim Rooney noted in his post about the survey that this year there was a high amount of participation by people who had already deployed DNSSEC:

Clearly this year’s survey attracted active deployers of DNSSEC, which contrasts sharply with the 2012 survey where less than 25 percent of respondents had already deployed or were actively deploying DNSSEC validation and signing.

In fact, the way I read his tables on page 4 over 60% of respondents had deployed DNSSEC and another 10% were in the process of doing so.  Not exactly representative of the overall industry! (Unfortunately)  Still, though, I think the report provides useful insight into DNSSEC deployment from the point of view of people who have deployed the technology.  (By the way, we did write about the 2012 report back when it came out.)

Tim also relays these highlights of the 2014 report:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

I’ll definitely agree with his last point about reducing complexity and that’s something that I know we and others within the industry continue to champion … any way that we can add more automation or make the user experience simpler will go far to help advance DNSSEC deployment.

I found a number of the other charts quite interesting such as the reasons for NOT deploying DNSSEC as well as those about what software was being used.  All in all I think the report is a useful contribution to the ongoing discussions around DNSSEC.  I’d like to see more of these type of surveys so that we can continue to build out a picture of DNSSEC deployment as well as the challenges that need to be addressed.

Thanks to Tim Rooney and the others at BT Diamond IP for compiling this survey!

 

Dec 15

Indonesia And Vanuatu Sign .ID and .VU With DNSSEC

Asia PacificWe were very pleased to learn this morning that both Indonesia’s .ID and Vanuatu’s .VU country-code top-level domains (ccTLDs) had DS records uploaded to the root zone of DNS over the weekend.  What this means is that they have both entered the fourth of five deployment stages that we track as part of the DNSSEC Deployment Maps.

At some point soon, people who have registered domains under .ID and .VU should be able to upload their own DNSSEC records and be able to obtain the higher level of security and trust that comes with having their domain signed with DNSSEC.  We don’t yet know when the registries for .ID and .VU will start accepting DS records from registrants, but hopefully at some point soon.

Given that the records were entered into the root zone of DNS after I had finished updating the database on Friday for the DNSSEC Deployment Maps that were distributed this morning, I took the unusual step of re-generating the maps today after a quick database update.  Subscribers to the public dnssec-maps mailing list have all received a second set of maps for today.  Normally I might have just waited for next week but given Indonesia’s size it adds a nice bit of green to the Asia Pacific map and I wanted that to be shown.

With these two ccTLDs having their DS record in the root zone, this brings us to 97 of the 247 ccTLDs that we track in our database being signed with DNSSEC.  (There are also .EU and .SU which we consider more “regional” TLDs (and are both signed), but other lists count as ccTLDs, so you could say that we show 99 of 249 being signed.)  Given that most of the generic TLDs are signed and all the new gTLDs MUST be signed when they launch, the remaining 150 unsigned ccTLDs are the major area where attention will be focused over the next while in terms of getting TLDs signed.  ICANN’s DNS team is spending a good bit of time traveling to many of these countries to help them get their ccTLDs signed and operational.

Congratulations to the teams at .ID and .VU for getting their domains signed and linked in to the DNSSEC global “chain of trust”.  We look forward to learning that those two ccTLDs become “Operational” and second-level domains can begin uploading DNSSEC records soon.

Note – if you would like to learn more about how you can get started with DNSSEC, please visit our Start Here page to find resources tailored to your role or type of organization.

Dec 12

Congrats To Norway’s .NO On Over 5,000 DNSSEC-Signed Domains!

Norid logoCongratulations to the Norid team on going live with DNSSEC for the .NO country-code top-level domain (ccTLD) this week!  You may recall we wrote about .NO being signed in the root zone of DNS back on November 18 (and the cake they baked to celebrate!), but this news this week now moves them to the fully “Operational” status in our DNSSEC deployment maps.

As they note on their page about the news, the .NO registry started accepting DNSSEC records from .NO domain registrants on Tuesday, December 9th.  They also indicated that they had 16 registrars (and now today I count 17).

Even better… after the first day, Norid’s Unni Solås reported on Twitter that they had passed 3,000 signed .NO domains:

and on the second day they were over 5,300:

Presumably two days later they will have even more DNSSEC-signed domains!

By the way, the Norid folks have a great DNSSEC project description (in English) that walks through the different stages of their deployment.  This could be very useful for any other ccTLDs looking to deploy DNSSEC.

Anyway… great work by the Norid team and others there in Norway – and we’re looking forward to hearing more about DNSSEC in Norway.

P.S. If you want to sign your domain with DNSSEC or enable DNSSEC validation on your network, please visit our Start Here page to find resources aimed at your type of organization or role.

Dec 11

DANE Interim Meeting on Dec 2 Focused on Email and S/MIME

IETF LogoFor those of you interested in tracking the evolution of the DANE protocol to add a DNSSEC-secured layer of trust to TLS certificates, the DANE Working Group within the IETF recently held an “Interim Virtual Meeting” via  conference call on December 2, 2014, where the focus was all around using DANE for securing email using S/MIME.  The minutes for the meeting can be found at:

The primary two drafts that were discussed were:

I was not able to attend myself but the minutes do provide a view into what occurred during the session.   There has also been further discussion on the DANE mailing list (to which anyone is welcome to subscribe).

What continues to be fascinating is how much interest there is in using DANE for better securing email communication, and this session was for those looking to use DANE for email systems using S/MIME.  It will be interesting to see where this goes over the next months.  At IETF 91 in November Eric Osterweil from Verisign demonstrated a version of Thunderbird that supported this usage of DANE.  He said they were looking at making that available publicly and that could certainly be of interest to many.

If you want to learn more about DANE, please visit our DANE page – and if you like to get started with DNSSEC please visit our Start Here page to find resources to help you begin.

Dec 05

Congratulations To .NL For Passing 2 Million DNSSEC-Signed Domains

Congratulations to the team at SIDN and all the .NL registrars and DNS hosting providers for the fact that there are now 2 million .NL domain names secured by DNSSEC!  Yesterday as the SIDN team apparently became aware that a large registrar/DNS hosting provider was going to be signing .NL domain names, Kees Monshouwer set up a website that showed an ongoing countdown to when they projected passing the 2 million DNSSEC-signed domain mark.  If you go there now, of course, you see that they’ve passed 2 million domains:

nl-2-million

But yesterday the countdown was underway:

nl-approaching-2-million

It was fun to watch yesterday from time to time… and a definite congratulations to the teams at all the various organizations.

As the news announcement from SIDN (in Dutch) explains, this represents over 36% of the 5.5 million .NL domains now secured with DNSSEC!  The announcement also explains a bit about how this was accomplished.  SIDN, the operator of the .NL registry, offered a financial incentive where .NL domain names are less expensive if they are signed with DNSSEC.  Given that incentive, a number of large registrars who also do DNS hosting set up their DNS systems to do bulk signing of the .NL domain names.  The end result is that their customers are now getting the added security of DNSSEC without the customers needing to do anything more.

This model may or may not work for other top-level domain (TLD) registries, but it certainly has worked well for .NL.  The tweets were fun to see today – among them:

and

Congrats again… and if YOU want to get started with signing your domain (from whatever TLD), please take a look at our Start Here page to find resources available to you!

 

Dec 04

Attending ICANN 52 In Singapore? Why Not Speak About DNSSEC or DANE?

ICANN 52 LogoTime is running out!  We have already received several excellent proposals for the ICANN 52 DNSSEC Workshop to be held on Wednesday, February 11, 2015 at  ICANN 52 in Singapore  and only have room for a few more presentations!  If you work with DNSSEC or DANE and will be at ICANN 52, we would encourage you to submit a proposal for consideration for the 6+ hour DNSSEC Workshop to be held on the Wednesday of the ICANN week.

All you need to do right now is send a short (1-2 sentences) proposal to dnssec-singapore@isoc.org expressing your interest and saying what you would like to talk about.

We published the full Call for Participation here that gives many suggestions for the type of topics we’d like to include.  Looking at the agenda for the recent ICANN 51 DNSSEC Workshop in L.A. may also help give you ideas.

Please let us know soon if you are interested in being considered for the program!

Thank you!