Category: DNSSEC

Jul 11

DNSSEC Policy & Practice Statements (DPS)

Are you responsible for signing your domain with DNSSEC are are looking to understand more of what may be involved?  Are you perhaps with registry or top-level domain (TLD) operator looking to implement DNSSEC across your country-code TLD (ccTLD) or new generic TLD (gTLD)? Or are you with an enterprise seeking to understand the legal and security policies you should have in place if you are signing your own domains?

If so, a great place to start is with the idea of a “DNSSEC Practice Statement” or “DPS.”  A DPS is a document that simply lays out the policies and procedures related to DNSSEC that an organization chooses to implement.  It may be very short and simple – or very long and complex.  The idea is that a DPS can give other people an understanding of how much they can trust your DNSSEC signing.  For someone new to DNSSEC, looking at existing DPS documents can also provide a clear checklist of what you should be thinking about during your implementation.

The best way to get started may be to look at an Internet-Draft titled “A Framework for DNSSEC Policies and DNSSEC Practice Statements

http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-dps-framework

This document explains the rationale for a DPS and provides a framework for creating your own.

Alternatively, you may just want to dive into the list of DPS documents below to get an understanding of what these documents are like.  The .SE DPS may be a good place to start, primarily because the .SE team are very involved with the Internet-Draft framework document referenced above.

If you prefer to learn from a video, we have included at the end of this page a 15-minute video from training given by the OpenDNSSEC project in April 2010 where Anne-Marie Eklund-Löwinder from .SE explains the value of a DPS and the components that should be included.

A few notes about the lists below:

  • The lists contain the gTLDs, ccTLDS and RIRs for whom we can find formal DPS documents. Some of the gTLDs, ccTLDs and RIRs who do use DNSSEC are not listed because their domains/zones were signed very early in the DNSSEC rollout before the DPS framework started to become widely used. They may have other DNSSEC deployment information on their sites, but not in the form of a formal DPS.
  • The root of DNS also has multiple DPS documents but they are not explicitly listed below as the root zone is a special case with special precautions. You may find the documents to be an interesting read, though.
  • You will note in the list below that the DPS documents have several different names, but newer documents seem to be standardizing on “DNSSEC Practice Statement.”
  • These lists will continue to be updated as more DPS documents become available. Expect to see them continue to grow as more TLDs sign their domains.

If you are aware of a DPS document we should include, please let us know.

Generic Top-Level Domains (gTLDs):

Country-code Top-Level Domains (ccTLDs):

Regional Internet Registries (responsible for reverse DNS delegations, i.e. in-addr.arpa):

The video below, while from 2010, provides a good introduction to what a DPS is all about:

 

Jul 05

Wow! Dramatic Growth in DNSSEC-signed Domains in .NL

Wow!  Per a tweet from Bert Hubert of PowerDNS we learned of this very dramatic graph of growth in DNSSEC-signed domains in .NL (click on the image to see the most up-to-date numbers):

DNSSEC-signed domains in .NL

That is quite the “hockey stick” jump in DNSSEC usage!  On July 2nd there were around 15,800 DNSSEC-signed domains in .NL and at the time I write this post there are 84,407!

In response to my query about what occurred, Bert said only that a PowerDNSSEC user enabled DNSSEC. Bert was also quick to point out in other messages I’ve seen that this fantastic growth is not exclusively because of PowerDNSSEC but that the PowerDNSSEC team worked hard to make it happen.

According to discussion on the dnssec-deployment mailing list, there are about 5 million .NL domain names. So in just a couple of days the .NL space has zipped by 1% and is fast on the way to 2% of all .NL domain names being signed!

Excellent work by all involved and it will be interesting to see how much farther it climbs!

P.S. I’ll note that just in the past few minutes while I wrote these last couple of paragraphs, the count climbed from 84,407 to 84,913!

Jun 15

OpenDNSSEC Team Seeking User Feedback Via A Survey

Via Twitter we learned that the OpenDNSSEC team is asking for user feedback to help improve the software. If you are a current user of OpenDNSSEC, please help the them by filling out their short survey!

May 18

Deploy360 To Present On Accelerating DNSSEC Deployment at ENOG3 in Odessa, Ukraine, Next Week

ENOG LogoWill you be at the third meeting of the Eurasia Network Operators Group (ENOG) on May 22-23, 2012, in Odessa, Ukraine?

If so, you’ll get to hear me (Dan York) speaking about “Key Steps to Accelerating DNSSEC Deployment“.  The abstract of my session is:

Everyone wants a more secure Internet and DNSSEC provides a level of additional security that allows a web browser to make sure the DNS information is correct and unmodified. So why is it taking so long to get DNSSEC deployed?

What needs to be done to get more domains signed with DNSSEC? How can DNSSEC validation be built into more applications? Are there technical issues or are the issues more of communication and awareness? How can we as a community address these challenges to increase the usage and availability of DNSSEC?

In this session, Dan York will explain some key deployment challenges and offer suggestions for how to overcome them, including more education for consumers, businesses, developers and network operators, and steps registrars can take to make the process of signing domains easier for the end-user. In addition, Dan will facilitate an audience discussion on what other resources are needed to help move the DNSSEC deployment needle.

Over 80 top-level domains (TLDs) and thousands of second- and third-level domains have now been signed with DNSSEC. The Internet Society Deploy360 Programme plans to build on this success and expand DNSSEC deployment by providing detailed, technical how-to resources and educational articles, case studies, and other in-depth information to help organizations of all sizes.

I’m very much looking forward to attending the session and meeting with the network operators from around the region. The ENOG 3 program agenda looks quite excellent and the attendee list already shows 275 people!  This is a regional meeting for the RIPE NCC and is the first time that an ENOG meeting has been held in the Ukraine.

My colleague Andrei Robachevsky will also be presenting on the topic of World IPv6 Launch and I’m looking forward to meeting up with him as well, given that he’s based in Amsterdam and I’m here in New Hampshire in the USA.

It will be interesting for me on a personal level, too, as the conference is in both English and Russian (with simultaneous translation) and my ability with the Russian language sadly doesn’t go much beyond “Nyet“!  I’m looking forward to being there and perhaps learning a few phrases along the way.  Getting to Odessa, though, turns out to be a bit entertaining for me… I’m flying Boston -> London -> Istanbul -> Odessa and basically losing Monday and Thursday to travel!  If you don’t see any blog posts from me on next Friday, you’ll know I’m caught somewhere in the air transport system! :-)

Anyway, if any of you are going to be at ENOG 3 next week I look forward to meeting with you!

May 16

DNSSEC Used In 2012 National Collegiate Cyber Defense Competition

Our friends over at the DNSSEC Deployment Initiative published the great news that DNSSEC was involved in the National Collegiate Cyber Defense Competition (NCCDC) held in April 2012.  This annual event, sponsored by the U.S. Department of Homeland Security (DHS) Science and Technology division, involved this year 126 schools and over 1,500 competitors.  The important part to us was this quote:

According to organizer Dwayne Williams, roughly 80% of the competitors had heard of DNSSEC before, but less than 10% had ever actually used or implemented it prior to NCCDC. While two of the teams noted that they would like to see simpler, step-by-step instructions for implementing DNSSEC, all of the teams ultimately thought DNSSEC was a technology they planned to look at more in the future.

That’s 1,500 more people who can be out there able to deploy DNSSEC!  And since these competitors are students who will be going on into industry this is excellent news for the future of DNSSEC.

We also understandably liked this part of the quote:

While two of the teams noted that they would like to see simpler, step-by-step instructions for implementing DNSSEC…

That is precisely the type of content we’re aiming to build here for DNSSEC, and our new DNSSEC content roadmap identifies further tutorials we’d like to add.  By the time the 2013 NCCDC event rolls around, these students will be able to find many more simpler tutorials out there!

Kudos to all the 2012 NCCDC teams for working with DNSSEC – and we look forward to learning what DNSSEC challenges will be part of the next NCCDC event.

May 15

Want To Tell Us Where To Go? View Our IPv6 and DNSSEC Roadmaps…

road pictureWhat type of IPv6 and DNSSEC
articles, tutorials, and other content do we need to add to this Deploy360 website? What areas need more attention? Have you looked for some topic here and not found it?

Since we launched Deploy360 four months ago, we’ve been collecting feedback through comments to this site; through interactions on Twitter, Facebook and Google+; from email sent to our deploy360@isoc.org address; from feedback form submissions; from conversations at various events … and even before our launch from attendees at our two ION conferences last year.

You have given us a great amount of feedback, and we’ve summarized all of that into two “roadmap” documents that outline what we believe we need to add to the site. They can be found here:

Now we’d love to hear from you again… have we captured your feedback accurately? Can you see other areas that we need to add? Other topics or tutorials?

How else can we help you with information about how to deploy IPv6 and DNSSEC rapidly?

Please note that these roadmap pages will be “living documents” in that we’ll be constantly updating them as we add items to the site (and remove them from the roadmap), find new items we need to add, and generally get more feedback from you about where you think we need to focus.

With these roadmaps published, we will start adding the listed resources to the site. We will be finding these resources out on the Internet where we can – verifying their accuracy and then reviewing them here on the site. Where needed resources don’t yet exist in a free and open form, we’ll create those resources in conjunction with our partners and volunteers.

To that end, if you know of a great tutorial or article (including one you’ve written) that fits an item on the roadmap, please let us know so that we can consider it for inclusion in the site. If you are looking for a specific topic and it’s not on this site or on the roadmap yet, let us know so we can add it to the roadmap.

Many thanks again to everyone who has given us feedback on the site over the past four months. We’ve been very pleased by the response so far and are looking forward to growing this site to help many more people deploy IPv6 and DNSSEC!

Please let us know how we can help you!

May 14

DNSSEC Roadmap for the Deploy360 Programme

The Deploy360 Programme staff has been collecting requirements and feedback for DNSSEC-related content from the community here at the Deploy360 site, from within social networks and at our ION conferences.

Based on that feedback, this document is an analysis of the IPv6-related content that needs to be added to the Deploy360 Programme website. Each section lists two areas of content:

  • Requirements – content that must be added to the site for this section to be “complete” in terms of meeting the section’s education goal.
  • Enhancements – content that we would like to add to each section. This content may be added after the required content is complete or if additional funding, staff or volunteers can be found to assist with this content.

This is a living document that will be continually updated and changed as we complete listed items, discover new items we believe need to be added and/or receive feedback from the larger community about items that need to be added or removed from the list.  (And we welcome your feedback on these documents.)

The content listed below will either be curated (i.e. found on the Internet, verified for accuracy and pointed to with a review from the Deploy360 site) or will be created by the Deploy360 team in conjunction with partners and volunteers.

Separate from the content identified here, there is also the need to translate the content on the Deploy360 site into other languages.

Feedback on this roadmap is definitely welcome. Thank you.

DNSSEC Basics

Requirements:

  • Intro document – What DNSSEC is, why it matters, etc.
  • Information about how to ensure your local DNS server will pass along DNSSEC records
  • More information about the role of DS records within parent domains
  • Information about DANE and the value it brings
  • More information about the business reasons for using the added security of DNSSEC
  • Information about how SSL and DNSSEC can work together
  • Tutorials for how to use DNSSEC at various registrars (expanding the current list)
  • Guidance on DNSSEC key rollover
  • Information about establishing a DNSSEC Policy and Practice Statement (DPS)
  • DNSSEC RFC review

Enhancements:

  • Videos/screencasts of securing and signing your domain using various registrars
  • Animated video (Common Craft-style) that explains DNSSEC to regular audience
  • Assistance in editing/updating the DNSSEC HOWTO maintained by NLnet Labs
  • Marketing-type materials for internal advocates to champion DNSSEC

Case Studies

Requirements:

  • Case study (text) with a registry
  • Case study with a registrar making DNSSEC available to customers
  • Case studies with ISPs deploying DNSSEC-validating name servers
  • Case studies with multiple developers of different types of applications

Enhancements:

  • Video case studies with all of the above
  • Design and publish “deployment scenarios” for DNSSEC that are suited to specific industry segments rather than rely solely on case studies

Tools

Requirements:

  • Tutorial on how to add CZ.NIC DNSSEC extension to Microsoft IE
  • Tutorial/info about how to configure DNSSEC using
    • BIND
    • PowerDNS
    • Unbound
    • Windows 8
    • (other servers)
  • Pointers to more of the existing videos/screencasts about DNSSEC tools

Enhancements:

  • Videos/screencasts of adding DNSSEC extensions to Chrome, Firefox, IE
  • Videos/screencasts of configuring DNSSEC using the various nameservers

Training

Requirements:

  • Identification of further courseware available for open/free usage
  • Further identification of additional train-the-trainer courseware

Enhancements:

  • Creation of additional written courseware
  • Creation of deployment-focused e-learning / video tutorials
  • Ongoing webinar series offering IPv6 education
  • Develop and standardize a training package for DNSSEC that trainers and consultants can use as a base for educating their customers

Network Operators (including registries and registrars)

Requirements:

  • Guidelines for considerations for supporting DNSSEC
    • Include information about whether or not to validate at ISP-level
  • Case studies (previously covered above)
  • Questions to ask vendors regarding DNSSEC support
  • Pointers to databases of DNSSEC-enabled software and services
  • Information about DNSSEC automation software
  • Tutorial on DNSSEC deployment at the gTLD/ccTLD level

Enhancements:

  • Commissioned analyst whitepapers on DNSSEC
  • Videos/screencasts related to DNSSEC implementation at operator level
  • Funding to assist in adding DNSSEC capability to registry/registrar software

Developers

Requirements:

  • Guidelines/best practices for adding DNSSEC support to applications
  • Case studies (previously covered above)

Enhancements:

  • Videos/screencasts showing use of DNSSEC libraries
  • Creation of additional open source test tools and/or libraries

Content Providers

Requirements:

  • Case studies
  • Information about business case / value in using DNSSEC
  • Information about how to work with registrars in signing domains
  • Information about using content delivery networks (CDNs) that support DNSSEC
  • Information about DANE and other uses of DNSSEC

Enhancements:

  • (Same video screencasts as under DNSSEC Basics)

Consumer Electronics Manufacturers

Requirements:

  • Case studies
  • Information about business case / value in using DNSSEC
  • (similar information as with Developers in how to add DNSSEC support to a device)

Enhancements:

  • (Same video screencasts as under DNSSEC Basics and Developers)

 

Enterprise Customers

Requirements:

  • More material helping C-levels understand the need to deploy DNSSEC
  • Business case / cost benefit analysis support for DNSSEC
  • Case studies
  • (Tutorials on DNSSEC configuration as referenced earlier)

Enhancements:

  • Commissioned analyst whitepapers on DNSSEC
  • Videos/screencasts related to enterprise usage of DNSSEC
  • Slides / materials to help enterprise advocates promote DNSSEC within their enterprise

May 03

ICANN Seeking Participants and Speakers for DNSSEC Workshop June 27 in Prague

ICANN 44 logoOur friends over at the DNSSEC Deployment Initiative have noted that ICANN issued a Call for Participation for their upcoming DNSSEC Workshop on June 27, 2012, in Prague, Czech Republic, as part of the ICANN 44 meetings happening there. This is a similar workshop to the excellent DNSSEC workshop at ICANN 43 that I attended and spoke at in March in Costa Rica.

While I can’t attend this meeting personally, I highly recommend attending if you are interested in deploying DNSSEC.

The folks at ICANN are seeking presentations on the following topics:

1. DNSSEC activities in Europe

2. ISPs and Validation

3. The realities of running DNSSEC

4. DNSSEC and Enterprise Activities

5. When unexpected DNSSEC events occur

6. DNSSEC in the wild

7. DANE and other DNSSEC applications

They are also seeking participants for something called “The Great DNSSEC Panel Quiz” that sounds like it could be entertaining!

More information and submission guidelines can be found in the Call for Participation. The deadline is May 10th to submit a speaking proposal, so time is short!

Apr 27

DNSsexy.net – News from the DNS blogosphere

Looking for news about DNS and DNSSEC that is happening around the Internet? If so, check out:

dnssexy.net

DNSsexy is a news aggregation site built and maintained by Jan-Piet Mens that pulls together DNS-related items from a variety of blogs and news sources. Do note that this is DNS in general… so it covers a wide range of DNS topics, not just the DNSSEC we cover here.

You can view the latest news by going to the site – or by adding the aggregated RSS feed into Google Reader or whatever feed reader you use.

I’ve found it quite a useful way to stay up on the many DNS posts happening around the Internet. Thanks to Jan-Piet Mens for setting up and maintaining the site!

Apr 26

Nic.at Publishes DNSSEC Report With .AT Statistics, Info

dot at reportThis month the folks at Nic.at, the Austrian registry, published an interesting “.at report” that was entirely devoted to DNSSEC and was full of statistics and charts.

The driver for this focused report was the DNSSEC signing of the .at domain on February 29, 2012. This report, one of a series of regular reports from nic.at, first discusses the signing of the .at domain and provides some global statistics about DNSSEC adoption.

The report then covers some stats about DNSSEC implementation at domain name registrars supporting .AT domains which shows there is definitely room for growth. Only 14 .AT registrars currently support DNSSEC… but that to me is actually good news because there are no .AT registrars listed on either our Deploy360 list of DNSSEC registrars nor on ICANN’s list – so obviously it sounds like there are a few more registrars we can add!

I found one set of statistics about registrar plans of interest, in part for the interesting difference between two of the questions:

DNSSEC statistics

Here 51% believe that DNSSEC will prevail as an additional security measure… but only 23% viewed DNSSEC as significant for them as a registrar. (I would say some education is necessary there, eh?)

Also, only 15% have received customer requests about DNSSEC. (Clearly, we as consumers need to be contacting registrars – and encouraging people we know to contact registrars – to increase this percentage!)

I also found the question about whether DNSSEC was a paid option or not to be intriguing:

There is a rather different approach of the six questioned .at-registrars that offer DNSSEC-compliant nameserver services: half of them charge fees, one registrar actively promotes DNSSEC without additional fees, and one third offers DNSSEC for free without any active promotion.

It will be interesting to see over time how these different business models continue. I appreciated the fact that Nic.at’s partner list has a “Partner Search” tab where you can check a box for “supports DNSSEC” to see only the DNSSEC-enabled registrars. Unfortunately in a very brief scan of the actual partner sites I couldn’t find mentions of DNSSEC in their web pages… but I didn’t do a very deep look.

The report goes on to provide a timeline for the .AT signing and some other information and interviews.  Nic.at also provides a couple of sections of their site related to DNSSEC:

Congratulations to the Nic.at team for the signing of the .AT zone and it’s great to see a focused newsletter like this helping educate people about what is going on with DNSSEC. It will be great to see the growth of signed .AT domains as this word gets out and as more registrars support DNSSEC and make it easier for domain name holders to sign their domains.