Category: DNSSEC

Nov 27

BT Releases Survey Results on DNSSEC Deployment

BT DNSSEC Survey ResultsYesterday BT’s Diamond IP group released their first DNSSEC Industry Survey Results that resulted from a survey of 120 participants from around the world in October 2012.  The key findings they report in the executive summary include:

  • Only 13 per cent of respondents have deployed DNSSEC signed zones in production and another five per cent are in the process of deployment. Even fewer have configured their caching recursive servers for DNSSEC validation with eight per cent having production deployments and another nine per cent progressing in deployment.
  • Despite modest deployments, nearly two-thirds of respondents agree or strongly agree that DNSSEC can provide organizational benefits and that DNSSEC technology is mature enough to deploy reliably. On the other hand, over half of respondents agreed that DNSSEC provides limited value until more validating resolvers are deployed, highlighting the “chicken and the egg” challenge for DNSSEC deployment.
  • Respondents generally agreed but were a bit unsure about supplementing DNSSEC deployments with hardware security modules (HSMs) with nearly half being neutral and over a third agreeing.
  • Leading obstacles to DNSSEC deployment were complexity of deployment and the inability to demonstrate a strong business case. Training issues and complexity of ongoing DNSSEC management caused concern as well.
  • Because DNSSEC requires knowledge of both DNS and cryptography to some degree, education and training programs may help improve industry awareness of the operation, benefits, and administrative requirements for deploying and maintaining DNSSEC secured resolution.

Most all of which is much inline with what we’ve seen in our own research and in fact the latter two points were precisely why we created the Deploy360 Programms – to get that kind of deployment information and education more widely known so that we can get DNSSEC more widely deployed.

I was particularly interested in the results on page 5 that asked about the value of DNSSEC.  Some of the answers were interesting – and also point to areas in which we as an industry need to provide better information to help people understand the value.  The “Top obstacles to DNSSEC deployment” chart on page 6 also agreed quite well with what we’ve heard from others.

One interesting question I’d not seen asked on other surveys about DNSSEC was about who would be responsible for the company’s DNSSEC implementation (page 8), with an interesting split between the “DNS” and “security” groups, highlighting an additional internal management challenge that may get involved with deploying DNSSEC:

The division makes a good bit of sense in that DNSSEC is something that you could see being in the area of responsibility of either of those groups, depending upon whether the company/organization views it as primarily a DNS issue or a security issue.

There were a number of other interesting charts as well as a section at the end with the demographics behind the survey.

With any survey like this, you do have to consider the source and BT Diamond IP is a vendor of products related to DNS, DNSSEC and IPAM.  Having said that, though, the results are in line with what we’ve seen in other surveys and are a welcome contribution to the ongoing discussion around DNSSEC deployment.  I’d love to see more of these type of surveys coming out with data from other demographics, regions, etc.

Thanks to BT Diamond IP for doing this research and also for making it publicly available without requiring a registration form for access.

 

Nov 26

Slides – Comcast’s Lessons Learned In Implementing DNSSEC

What lessons did Comcast learn in rolling out DNSSEC validation to their 18 million subscribers in the US?  Did they have to make any changes to their network?  What happened as they scaled up their deployment?

These were some of the many questions addressed by Comcast’s Chris Griffiths at the ICANN 45 DNSSEC Deployment Workshop on October 17, 2012, in his presentation titled, “DNSSEC Activities in North America: Comcast“.

Chris outlined how Comcast began working with DNSSEC and where it is today, but more importantly he highlighted questions that network operators need to be thinking about and discussed some of the issues they have seen.  He also mentioned Comcast’s site at http://dns.comcast.net/ where they are now listing sites that are experiencing DNSSEC problems.

Comcast DNSSEC presentation

At the end, Chris highlighted some of the challenges they still see, such as dealing effectively with load balancers and content distribution networks, as well as solving the upload of DS records to many different registrars.

The slides are well worth reviewing and if you want to hear Chris’ presentation, the audio recording of the entire day is available from ICANN’s website (you’ll just need to jump ahead to Chris’ section).

We definitely appreciate that not only is Comcast deploying DNSSEC, but they are also having people like Chris go out and speak at technical forums about what they have done.  Sure, it’s good publicity for them, but the information that they have learned is immensely valuable to share as a case study, and will only help expand the deployment of DNSSEC.

Now, we just need to see more network operators giving case study presentations like this! :-)

Nov 21

Slides – Adding DNSSEC to Fedora and Red Hat Linux

What is the status of DNSSEC being added to Fedora and Red Hat Linux?  What changes have already been made?  What changes will occur in the future?  What tools are available to help?

At the recent ICANN45 DNSSEC Deployment Workshop, Paul Wouters from Red Hat spoke about integrating DNSSEC into Linux. Paul’s slides are available for download and a video of the entire workshop is available from the main page.

Paul Wouters presentation on DNSSEC in Linux

In the presentation, Paul talks about the difference between Fedora and Red Hat Linux and then dives into what needed to be modified to support DNSSEC. He provides some insight into their experiences using DNSSEC in different configurations and with different tools.

Paul also spoke about support for the DANE protocol to use DNSSEC to validate SSL/TLS certificates and in particular his TLSA Validator add-on for the Firefox browser and his “hash-slinger” tool that generates TLSA records.  Both tools are available at his site at:

http://people.redhat.com/pwouters/

It was a great presentation to hear, and Paul is very active within the DNSSEC community working on tools such as these to help get DNSSEC further deployed. It is well worth some time checking out his tools.

Nov 20

DNSSEC Workshop at Japan’s Internet Week 2012 on Wednesday, Nov 21, 2012

Internet Week 2012Are you attending Japan’s Internet Week 2012 in Tokyo this week? And do you want to learn about how DNSSEC makes DNS and the Internet more secure?

If so, there will a DNSSEC workshop/tutorial tomorrow, November 21, 2012, from 9:15 to 11:45 in Akiba Hall.  More information can be found at:

https://internetweek.jp/program/t9/

As I am not able to read Japanese, I am relying on Google Chrome’s translation but what I see there sounds like quite an interesting session with multiple case studies.

It’s great to see DNSSEC conference sessions happening in Japan and we look forward to seeing the growth of more signed domains and validating resolvers within Japan!

 

Nov 19

Got A DNSSEC Project That Needs Funding? Apply to NLnet Foundation Before Dec 1

NLNet FoundationDo you have an open source project (or the idea for one) related to DNSSEC that needs funding? Perhaps a new tool that will make it easier to use DNSSEC?  Or perhaps new software that supports the DANE protocol to increase the security of TLS/SSL? A browser plugin?  A program that makes it easier for registrars to pass DS records?  A measurement tool for DNSSEC usage?

Or do you want to add DNSSEC capabilities to an existing program, like the Jitsi team did when added DNSSEC validation to VoIP?  Would you like to build DNSSEC validation into your tool or service?  Would you like to add DANE support to your browser or other tool?  Would you like to add DANE support to another service beyond the web?  Do you have a use case where DNSSEC-signed TLS/SSL certificates would greatly add another level of security?

If you have any ideas along these lines, the NLnet Foundation is funding projects through their “DNS Security Fund” and THE NEXT APPLICATION DEADLINE IS DECEMBER 1, 2012 at 12:00 Central European Time (CET).  You can read more and find out how to apply at:

http://www.nlnet.nl/dnssec/

That page lists at the bottom some of the many projects that the NLnet Foundation has funded.  Their most recent “Open call for funding” gets into more details.  There is one very important note:

There is one important condition which is that any software or hardware that a project produces must be available under a valid open source licence (GPL, BSD, Apache, etc.).

As long as you are fine with that, you may be able to get some level of funding through NLnet Foundation.

We’d definitely appreciative of all the great work that the NLnet Foundation has funded to date. Tools like Unbound, DNSSEC-Trigger and the multiple DNSSEC developer libraries they have supported have made it so much easier to get DNSSEC deployed.

Now it’s your turn – what can you develop to help get DNSSEC more widely deployed?    If you’ve got an idea, the NLnet Foundation may be able to help… apply before December 1 to see if they can!

P.S. Note also that if you can’t apply before December 1, the NLnet Foundation accepts proposals six times a year, with deadlines of February 1, April 1, June 1, August 1, October 1, December 1.

Nov 02

New Release 1.14 of DNSSEC-Tools – Get It Now!

Recently at the ICANN 45 DNSSEC Deployment Workshop, we learned that the great folks over at the DNSSEC Tools project had just released a new version of their great package of DNSSEC-related tools.  The new version 1.14 is available in several forms from:

http://www.dnssec-tools.org/download/

Some of the changes include:

  • dnssec-nodes – many new features and graphing capabilities
  • libval – support for the TLSA recorded needed for the DANE protocol
  • dnssec-check – increased stability

As an advocate for the powerful capabilities of DANE, I’m particularly pleased to see that support added for TLSA records.

You can find out more information on the main dnssec-tools.org web page.

I know from speaking with Sparta’s Russ Mundy at the ICANN 45 workshop that he and the others involved with the DNSSEC-Tools project are definitely looking for user feedback – and also looking to understand what other DNSSEC-related tools people might find useful.  Please do give this new release a try and let the team there know how it works for you.

Oct 23

Excellent whitepaper/tutorial from SURFnet on deploying DNSSEC-validating DNS servers

SURFnet whitepaper on deploying DNSSECHow do you get started with deploying DNSSEC-validating DNS servers on your network?  What kind of planning should you undertake?  What are the steps you need to go through?

The team over at SURFnet in the Netherlands recently released an excellent whitepaper that goes into the importance of setting up DNSSEC validation, the requirements for using validation, the planning process you should use, etc.

As we note on our resource page about the whitepaper, the document then walks through the specific steps for setting up DNSSEC validation in three of the common DNS resolvers:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

For us to get DNSSEC widely available we need to have DNS resolvers on networks performing the actual validation of DNS queries using DNSSEC.  This guide is a great way to get started.

Have you enabled DNSSEC validation on your network?

Oct 23

Deploying DNSSEC: Validation on recursive caching name servers

SURFnet whitepaper on deploying DNSSECWhy should you deploy DNSSEC-validating DNS resolvers on your network?  What kind of planning should you do to prepare? What steps do you need to do?

The team at SURFnet has published a whitepaper titled “Deploying DNSSEC: Validation on recursive caching name servers” (PDF) that answers these specific questions and much more.  The document covers:

  • Cost and benefits of deploying DNSSEC
  • DNS architecture
  • Requirements before deployment
  • Planning your deployment
  • Operational requirements and practices

The document then gets into specific step-by-step instructions for three of the most common DNS resolvers:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

For people looking to deploy DNSSEC-validation within their network, this guide provides an excellent way to get started.

Oct 23

DNSSEC Training: Men and Mice

Men & Mice has worked with the Internet Systems Consortium (ISC), authors and maintains of the BIND DNS server, to provide training related to DNSSEC for several years at both conferences and in training centers all over the world. Their latest schedule of courses can be found at:

http://www.menandmice.com/training/

Men & Mice offers focused classes on DNSSEC and also includes DNSSEC as a component of other DNS-related classes. Men & Mice also provides IPv6 training classes.

The Internet Society Deploy360 Programme does not recommend or endorse any particular commercial providers of training. The information provided here is to assist people in finding training providers and is part of a larger effort to list all known providers of DNSSEC-related training. If you know of an additional training providers we should include, please contact us.

Oct 19

In Moscow for ENOG 4 Oct 23 & 24? We’ll Be There Talking About DNSSEC

ENOG LogoWill you be in Moscow this coming week (Oct 23-24, 2012) at the Eurasia Network Operators’ Group (ENOG) 4 meeting? If so, I (Dan York) will be there to speak about DNSSEC and how it applies to network operators. My talk, titled “DNSSEC – Why Network Operators Should Care And How To Accelerate Deployment “, has the description:

Why should network operators care about DNSSEC? What advantages and opportunities can it provide? What are the best first steps an ISP can do to support DNSSEC? What are the current best operational practices for DNSSEC?

In this presentation, Dan York of the Internet Society’s Deploy360 Programme will answer these questions, discuss some new DNSSEC-related technologies such as DANE and provide some key steps that can help accelerate DNSSEC deployment within networks.

I’m very much looking forward to the event and speaking with network operators to understand how we can help them get more DNSSEC-validating DNS resolvers deployed out there.  The ENOG 4 agenda is packed with good presentations so I’m looking forward to learning a good bit. Currently showing 451 attendees, too, so the opportunity is there to get some great feedback!

Thankfully, there will also be a simultaneous translation service during the sessions. I have been learning some Russian in preparation but so far only really have the very basic traveler survival phrases down. :-)

Should be a great event – if you are there, please do say hello!

P.S. I’m also pleased to be able to meet up with my Internet Society colleague Andrei Robachevsky as he is one of the organizers of the event (and is also fluent in Russian).