Category: DNSSEC

Apr 02

Outstanding DNSSEC Workshop at FOSE Tomorrow

FoseWant to learn about the latest with DNSSEC and the US government? Want to listen to a veritable “Who’s Who” of the people involved with DNSSEC? Tomorrow at the FOSE Conference in Washington, DC, there is what looks to be an outstanding event titled:

MAKING DNSSEC THE TRUST INFRASTRUCTURE: WHERE DOMAIN NAME SECURITY IS HEADED

Going from 10:00am to 4:00pm US Eastern time, the event is described as:

Nearly 50 percent of U.S. Federal domains and a significant number of worldwide governmental, commercial, nonprofit and business domains are now secured with DNSSEC, the Domain Name System Security Extensions. Yet large-scale domain name attacks and vulnerabilities continue, not just to the DNS, but to other applications that rely on the DNS to store information. DNSSEC provides the means to protect application information stored in the DNS, in effect, making DNS a trust infrastructure that other applications can utilize.

In the quest to make DNSSEC a useful trust infrastructure for Internet applications, this session will look at the remaining challenges and emerging trends in U.S. Federal DNSSEC deployment; share new DNSSEC-aware applications; and conduct a wide-ranging discussion of the future of domain-name security with leading Federal and private-sector DNS experts.

The speaker list, though, is what is so amazing!

Not only the top people involved with DNSSEC implementation from throughout the US government, but also the very folks behind so many of the DNSSEC resources we’ve listed here on the site and the people we’ve written about in our DNSSEC-related blog posts. Speakers from organizations like CZNic Labs, NIST, NLNet Labs, Shinkuro and many more… from vendors such as Akamai, Comcast, GoDaddy, Afilias, Google, etc. Plus individuals who have been extremely involved with DNSSEC like Steve Crocker and even security researcher Dan Kaminsky!

All in all it looks to be a truly outstanding event!

The Deploy360 Programme will have a presence there in the form of Richard Jimmerson who heads up our overall project. If you are interested in meeting up with him at the event, please contact him at jimmerson@isoc.org.

THERE IS STILL TIME TO ATTEND! If you have registered for FOSE you can choose the DNSSEC workshop as one of your free educational sessions.

P.S. Alas, I’d love to be there myself and was hoping to get there… but I just returned this weekend from 11 days away for IETF and it turns out the travel won’t work for me this week. I’m very much looking forward to hearing from Richard how it goes…

Mar 23

New Paper – “Challenges and Opportunities in Deploying DNSSEC” at SATIN 2012

This morning at the SATIN 2012 conference in London I (Dan York) will be speaking on the topic of “challenges and opportunities in deploying DNSSEC“. Basically I’ll be providing a view of our experience here at Deploy360 over the past 6 months in looking at how to accelerate the deployment of DNSSEC.  As we have been building up our list of DNSSEC resources, we’ve been taking a look at DNSSEC from the “user experience” point of view.  What are the pain points for network operators? for developers? for content providers? for enterprises?

Where are the opportunities to simplify the user experience and make it easier to deploy DNSSEC?

As part of this presentation at SATIN 2012, we created a 7-page paper documenting our findings.  You can download the PDF of this document at:

Challenges and Opportunities in Deploying DNSSEC (SATIN 2012)

As I note on the “resource” page for this paper, we look at the issue from the perspective of:

  • Domain name consumers - any person or application that is using a domain name.
  • Domain name holders - people or organizations who have registered a domain and, in the context of DNSSEC, want to sign the domain.
  • Domain name infrastructure operators - people or organizations that provide the actual service behind the Domain Name System and have a role to play in the DNSSEC signing and validation processes.

Creating the paper was a very useful process in that it helped us identify some of the places where we can add value through the Deploy360 program in the form of new DNSSEC tutorials, HOWTOs and other documents.  I hope that it will be helpful for others out there who are also looking at ways to help accelerate DNSSEC deployment.

I’d very much love to hear any and all feedback on the document.  This is very much a “progress report” of what we have found at this point in time and I expect the list of both challenges and opportunities to evolve over time.

What do you think of the list in this document?  Do you agree? Disagree?  Can you think of other opportunities for simplifying the user experience with DNSSEC?

Again, I’d love to hear from you, either as comments to this post, email to deploy360@isoc.org or via our feedback form

Mar 22

Whitepaper: Challenges and Opportunities in Deploying DNSSEC


At the SATIN 2012 conference on March 23, 2012, the Internet Society’s Dan York spoke about a paper that he and other members of the Internet Society staff developed outlining some of the challenges with DNSSEC deployment and identifying opportunities to simplify the user experience to accelerate DNSSEC deployment. The document is now available for download at:

Challenges and Opportunities in Deploying DNSSEC (SATIN 2012)

The document lays out the challenges and opportunities for:

  • Domain name consumers - any person or application that is using a domain name.
  • Domain name holders - people or organizations who have registered a domain and, in the context of DNSSEC, want to sign the domain.
  • Domain name infrastructure operators - people or organizations that provide the actual service behind the Domain Name System and have a role to play in the DNSSEC signing and validation processes.

Within each section, there are multiple subsections with specific examples.  The document concludes with some thoughts about additional opportunities to accelerate DNSSEC deployment and a lengthy list of resources for further exploration of the topic.

Our goal is that this document can stimulate further discussion about these points and lead to solutions that move DNSSEC deployment further.  We also will be using it within the Deploy360 Programme to identify areas where we need to add more DNSSEC resources to the site.

We welcome any and all feedback and comments, either directly here as comments to this page or sent to us via email or our web form.

Mar 22

Whitepaper: .SE Health Status Report on DNS and DNSSEC

This week the folks at .SE in Sweden released a report full of DNS and DNSSEC information and statistics related to .SE at:

.SE Health Status – DNS and DNSSEC (PDF)

Today at the SATIN 2012 event in London, Anne-Marie Eklund Löwinder from .SE discussed many of the statistics and information contained in the report.    She highlighted many of the major errors they’ve seen and provided an intriguing view into how DNSSEC is actually being deployed in terms of key lengths, encryption algorithms, etc.

At the time of the analysis in early February, .SE had 174,487 domains signed with DNSSEC out of a total of 1,195,719 registered domains.  The document contains a number of interesting charts and other data.

While this report is obviously about a single top-level-domain, it provides interesting insight into DNS and DNSSEC deployment.  Sweden has been a leader in DNSSEC deployment and we look forward to seeing future surveys and the continued growth in signed domains.  Thanks to the .SE team for providing this data to the larger community.

P.S. Want to learn more about how to deploy DNSSEC?  View our list of DNSSEC resources to get started!

Mar 20

Speaking at SATIN 2012 on Friday About DNSSEC Deployment

This Thursday and Friday I (Dan York) will be at the “Securing and Trusting Internet Names (SATIN) 2012” event taking place at the National Physical Laboratory (NPL) in London, UK. As the event site indicates, this event is a bit of a merger of academia and industry:

SATIN aims to provide a forum for academic work on the security of the DNS alongside industry presentations on practical experiences in providing name services.

This workshop will expose the academics to the real problems that industry is encountering, and show industry what academia has to offer them.

The SATIN 2012 agenda looks quite good and I’m looking forward to learning a good bit about new research into DNSSEC and other technologies to protect DNS. It’s great to see someone from Comcast there talking about their work and I admit to having a particular interest in the session on DANE, as I see DANE as a potential way to show how DNSSEC can add more value to existing networks. (More on DANE in later posts.)

On Friday I’ll be speaking about some of what we’ve seen as we prepared the DNSSEC part of this Deploy360 site and the opportunities we see for simplifying the user experience and accelerating DNSSEC deployment. As part of preparing for the event, I developed with my colleagues here at the Internet Society a 7-page paper on “Challenges and Opportunities in Deploying DNSSEC” that I’m definitely looking forward to sharing with you all.

We’ll be posting both my paper and slides to our site once the event is over. The NPL is also going to be recording all of the sessions and making them available via YouTube. As soon as the videos are live, we’ll start posting about them here, too.

If any of you reading this will be at SATIN 2012 this week, please do say hello (and feel free to drop me a note in advance).

Mar 14

Reminder: Today’s ICANN DNSSEC Workshop will be streaming live…

ICANN 43 logoJust a reminder that as we mentioned on Monday, the DNSSEC Workshop happening today at ICANN 43 in Costa Rica will be streamed live.

The event takes place today from 8:30am to 1:45pm in San José, Costa Rica (UTC-6, i.e. US Mountain time – visit timeanddate.com to find out how this compares to the time where you are).

Please see the DNSSEC Workshop web page for the agenda and links to listen to and view the presentations.

Mar 12

ICANN DNSSEC Workshop on Weds, March 14, to be streamed LIVE

ICANN 43 logoWant to learn more about the current state of DNSSEC deployment? Want to hear case studies of organizations who have deployed DNSSEC? Want to learn how DNSSEC can be used to protect your organization’s online reputation?

This Wednesday, March 14, 2012, from 8:30am to 1:45pm (UTC-6, i.e. US Mountain time), there will be a DNSSEC Workshop as part of the  ICANN 43 meeting taking place in Costa Rica. The good news is that…

THE EVENT WILL BE STREAMED LIVE

You can just go to http://costarica43.icann.org/node/29659 and click on the appropriate link to listen and view the session.

I (Dan York) will be one of the early presenters outlining some of the areas with DNSSEC that we’ve found in the development of this Deploy360 site where we see opportunities for simplifying the user experience and accelerating DNSSEC deployment.  I’ll be talking about the end-user experience for domain name holders, the experience at domain name registrars and several infrastructure issues.  I’m very much looking forward to giving the presentation and to participating in the ensuing discussion.

The agenda for the full workshop is a great collection of people involved with the actual deployment of DNSSEC.  I’ll be intrigued to listen, learn and interact with the participants and am looking forward to having some new content to add to this site.

If you are going to be there at the session in Costa Rica, I look forward to meeting you. If you are not going to be in Costa Rica but are interested in the topic, I do hope you will tune in to the live coverage.  Given that past ICANN DNSSEC workshops have been recorded for later viewing, I expect this session will be as well.

Mar 06

Gandi.net Adds Support For DNSSEC DS Records

Gandi netOn Friday we learned that Gandi.net is joining the ranks of domain name registrars supporting DNSSEC. In a blog post on their “Gandi Bar” site, “Thomas” outlines the level of support Gandi.net is providing and points over to a wiki post explaining in more detail how to set up DNSSEC for your domains.

It’s important to note that Gandi.net is not providing DNSSEC-signing services – and in fact you cannot use Gandi.net’s own DNS servers for hosting your DNS as their hosting servers do not provide DNSSEC support yet. However, if you host your DNS records on a service that does support DNSSEC, Gandi.net can handle all the relevant Delegation Signer (DS) records for you. We previously provided a step-by-step example of configuring DNSSEC in this manner using GKG.net. It seems that Gandi.net works in a similar manner although it appears you provide them with your full public key and they then generate the relevant DS records.

What is nice to see is that Gandi.net supports a wide range of top-level domains (TLDs), including:

  • .be
  • .biz
  • .com
  • .de
  • .eu
  • .fr (+ .re, .yt, .pm, .wf, .tf)
  • .net
  • .se
  • .us

Further, in their blog post they commit to providing support for even more TLDs in the future.  Given that ICANN’s list of DNSSEC-enabled registrars only lists a few registrars supporting multiple TLDs, this news out of Gandi.net is great to see.

We’ve queued them up to add to our list of tutorials for signing your domain with DNSSEC using domain name registrars and look forward to seeing more DNSSEC-signed domains coming out of Gandi.net customers.

P.S. Have you signed your domain today?

Mar 05

NIST To Require US Government Agencies to Validate DNSSEC

NIST LogoOur friends over at the DNSSEC Deployment Initiative have noted today that the US National Institute of Standards and Technology (NIST) has announced proposed changes to the Federal Information Security Management Act (FISMA) controls that include among the many changes two relating to DNSSEC. The critical change is “SC-21″ as explained by the DNSSEC Deployment Initiative folks:

SC-21 is changed to require “[t]he information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.”  This means that all Federal systems must either request and validate DNSSEC responses, or have a trusted link to a validator that can provide that service for the system. Control SC-21 is also changed to be required for all security levels (Low, Moderate and High).

Essentially this means that when this is fully implemented all US government systems should be consumers/users of DNSSEC, meaning that they will validate domains if they are signed with DNSSEC.

The article also notes that this new requirement will become official 12 months from the final publication of the NIST document, expected to be July 2012.  The document released last week by NIST is a draft of “Special Publication 800-53 Revision 4″ that is open for public comment through April 6, 2012.

It’s great to see this requirement being added to FISMA controls and as it rolls out it will definitely increase the usage and visibility of DNSSEC.

Mar 02

Knot DNS – New DNS server supporting DNSSEC

The folks over at CZ.NIC Labs just released a brand new DNS server called “Knot,” available for download at:

http://www.knot-dns.cz/

(Click on “en” at the top left of the page to read it in English.)

As they say on the page:

Knot DNS is a high-performance authoritative-only DNS server which supports all key features of the domain name system including zone transfers, dynamic updates and DNSSEC.

I’ve not yet had a chance to work with it myself, but Jan-Piet Mens wrote about his experience with Knot over on his site.   To try it yourself, you can download Knot DNS from the site as a tarball or clone the git repository.

It’s great to see new tools and servers emerging that include DNSSEC support and it will be interesting to watch how Knot DNS evolves.