Category: DNSSEC

DNS Statistics for .EDU domain names

Shumon Huque at the University of Pennsylvania maintains a site tracking the DNS capabilities of a selected set of universities at:

http://www.huque.com/app/edudns/

The information, updated once per day, includes information about the DNSSEC and IPv6 capabilities of the institutions.

Want to Understand DNSSEC? Watch this video interview…

What is DNSSEC? What can you do with it? How does it work? Why are people excited about using DNSSEC? Why should you care about it? At the Consumer Electronics Show a few weeks back, I sat down with cybersecurity expert Joe Klein to cover a range of topics related to DNSSEC, including a few that were quite new to me! It was enjoyable and I thank Joe for his time.

To learn more about DNSSEC, visit http://www.internetsociety.org/deploy360/dnssec

Video: Why DNSSEC Matters – An Interview with Joe Klein

What is DNSSEC? How does it work? How can you use it? Why should you care about it? In this video, Dan York interviews cybersecurity expert Joe Klein about DNSSEC and explores a variety of topics related to how it works, how it is used, what you can do with it and where DNSSEC is going.

To learn more about DNSSEC, visit http://www.internetsociety.org/deploy360/dnssec

This video is a production of the Internet Society Deploy360 Programme.

ICANN Publishes List of Domain Registrars Supporting DNSSEC

ICANNWe were very pleased to see that ICANN’s Security Team published a list of domain name registrars that support DNSSEC. At this point in the deployment of DNSSEC it’s not a very long list, but it’s a good start – and a list that we hope will grow rapidly in the months ahead.

As we note on our page about how to secure and sign your domain with domain registrars, registrars play a couple of roles in the DNSSEC process. Primarily, they accept “Delegation Signer” (DS) records that contain information about the keys that are used to sign your zone.

Many registrars are also “DNS hosting providers” and will automatically sign all your DNS records on your behalf. We’ve provided some DNSSEC signing tutorials on that page and have others in development.

It’s great to see ICANN maintaining that list and, as they note, if you know of more domain registrars who support DNSSEC, they would like to hear from you at dnssec@icann.org (and we’d love to write more tutorials for our pages).

CIRA / .CA Launches DNSSEC Info Center and Draft DNSSEC Practice Statement

CIRAlogoDNSSEC is coming soon to the .CA domain! The Canadian Internet Registration Authority (CIRA) recently announced a draft of their “DNSSEC Practice Statement” (DPS) that provides details around how they will be deploying and managing DNSSEC for the .CA domain. They are seeking comment on the DPS – and are also launching a “DNSSEC Knowledge Center” at:

http://cira.ca/knowledge-centre/technology/dnssec

The draft DPS is available on that site as is a useful DNSSEC FAQ.

All of this is in preparation for CIRA’s plans to sign the .CA zone in 2012 and to start signing .CA second-level domains in 2013.

It’s great to see this step from CIRA and we encourage all those interested to take a look at their DPS and send in any comments you may have.

If you are interested in learning more about CIRA’s activities, Jacques Latour spoke at our Toronto ION event in November and we published the video where he spoke about what CIRA is doing with both IPv6 and DNSSEC:

Internet2 DNSSEC Special Interest Group (SIG) Provides Forum for Research/Education Community

Internet2DNSSECSIGAre you are member of the research or education community interested in connecting with others who are implementing DNSSEC? Or are you interested in monitoring what is happening within the research/education world with regard to DNSSEC? If so, the Internet2 Consortium has a Special Interest Group (SIG) focused on DNSSEC. The SIG has a website with a great amount of information at:

https://spaces.internet2.edu/display/DNSSEC/Internet2+DNSSEC+SIG

As noted there:

This SIG (Special Interest Group) is intended as a collaborative forum for the research and education community, to share information and support each other in deploying DNSSEC – the Domain Name System Security Extension.

The SIG primarily communicates through a mailing list and instructions to subscribe are provided at the top of the group’s web page. The SIG also has monthly conference calls where they provide updates on recent and upcoming activities and initiatives.

If you are within the research or education community and interested in DNSSEC, this group is definitely a great place to connect with peers and collaborate. We definitely encourage you all to check it out and join the work.

Fedora Project Requesting Testers of DNSSEC-Trigger

FedoraProjectWant to help out a Linux project with DNSSEC? In a recent message to the Fedora Project developers list, Paul Wouters from Red Hat asked for people to help test the recent addition of DNSSEC-Trigger to the “rawhide” distribution of Fedora. As he says in the email:

In our efforts to push DNSSEC to the enduser, we have packaged our
initial DNSSEC reconfiguration utility.

Basically, this makes it possible to use DNSSEC on your laptop, while
moving between networks of which some are “friendly” man in the middle
attacks on DNS via hotspots and sign-ons. Some steps are still awaiting
further network-manager integration. We hope to be able to hide almost
everything from the user, but the network manager integration is not yet
complete. But we would really like get more feedback on how well it
works in various alien and broken networks out there (especially wifi
and 3G/LTE).

First, it’s awesome to see DNSSEC-Trigger get added into a Linux distribution. Kudos to Paul and the Fedora Project team for taking that step.

Second, if you are a Fedora user, or would like to help out with this effort to promote DNSSEC usage, please do read Paul’s email message and see if you can help out with the testing.

Note that while Paul mentions the Firefox add-on to support DNSSEC there is also a similar extension to add DNSSEC support to Google Chrome.

It’s great, too, to see what they have planned for future work on Fedora:

Planned for the near future:
- Less user interaction, more network manager integration
- automatic hot spot detection
- network manager vpn plugin support for DNS forward-zone
- phasing out the applet in favour of native network-manager support
- validate TLS certificates via DNSSEC (IETF DANE support)

And I did very much enjoy how Paul ended the message:

That’s it, go break your DNS and let us know how it went!

Again, it’s excellent to see this effort and I look forward to hearing how the testing goes and seeing this further expansion of DNSSEC capabilities in Fedora.

P.S. And yes, I’m thinking about where I might have a spare box where I could install Fedora specifically to play with this…

Need A Weekend Project? Install The New DNSSEC-Trigger 0.10 Release

Dnssec TriggerLooking for a quick weekend project to learn more about DNSSEC? Want to set up your home network to correctly validate DNSSEC info?

If so, the NLnet Labs team just announced the 0.10 release of DNSSEC-Trigger, a local DNSSEC-validating resolver you can run on your Linux, Windows or Mac OS X system.

Per the change log on the project page, version 0.10 includes the following changes:

  • truncate pidfile (just like NSD fix, in case directory not owned).
  • If hotspot-signon, set override servers right away on a network change, so the user does not have to wait for 10 seconds after a change of the wifi.
  • Attempt to add DHCPv6 support for windows.
  • Use Processes.dll code (can be freely used, source provided) for kill process in windows NSIS installer. Compiled to 6kb (not 50kb). Processes.dll was made by Andrei Ciubotaru.
  • show version number in add-removeprograms configpanel (windows).
  • install script removes leftover trayicons using direct windows API.
  • dnssec-trigger-control uses registry config location (for windows).
  • fix dnssec-trigger-control error printout if SSL files fail.
  • show package version in probe results dialog.
  • updated acx.nlnetlabs.m4 for gcc 4.6 compat for portability tests.
  • Do not show the insecure and hotspot windows at the same time.
  • Fix for OSX to show the popups on top of the other windows.
  • alert icon easier to read.

I just updated my local MacBook Pro and the installation went perfectly fine. (To “update” on Mac OS X, you simply download the latest version and run through the installation process again.)

How will you know if DNSSEC-Trigger is working? Well, one simple test is to try to go to either of the “bad” websites we mention on the DNSSEC Tools page in your web browser: www.dnssec-failed.org or www.rhybar.cz. If DNSSEC-Trigger is working correctly, your web browser will probably tell you that it can’t find either of those sites. DNSSEC-Trigger is determining that the sites do not correctly validate and is therefore not providing any DNS information for those domains.

Anyway, the new 0.10 release of DNSSEC-Trigger is available now for download for Windows, Mac OS X or Linux. Download it now and get started using DNSSEC validation!

Want to Deploy DNSSEC on Microsoft Windows 7 or Server 2008 R2?

MS DNSSEC Deployment GuideDo you operate a Microsoft Windows server infrastructure and would like to know how to implement DNSSEC? If so, Microsoft published a “DNSSEC Deployment Guide” to help administrators of Windows Server 2008 R2 and Windows 7 systems.

The comprehensive document explains what DNSSEC is all about, walks step-by-step through each process and also provides easy checklists to use as a reference during deployment and ongoing operation.

I no longer administer Windows Servers so can’t personally attest to the usefulness of the guide.  In reading through it, my initial reaction is that there seems to be very little GUI management of DNSSEC. Most of the administration seems to involve use of the ‘dnscmd’ command-line tool.  While that’s perfectly fine by me, given that I’ve a big command-line fan, I suspect that many regular Windows administrators may wish they could execute these commands through one of the administration tools Microsoft provides. The document also was last updated in March 2010 and thus pre-dates the signing of the root in July 2010. With the root signed, the section on distributing trust anchors may no longer be quite as applicable.

Regardless, this appears to be the most recent document provided by Microsoft and so if you have a Windows-based server infrastructure you may want to check it out.  I’d note that this document only applies to Windows Server 2008 R2 and Windows 7.  Earlier versions of Windows Server had much more limited support for DNSSEC.

If you are a Windows administrator, what do you think?  Is this document helpful? Useful?  What could Microsoft do to make DNSSEC deployment easier on Windows Server 2008 R2 or Windows 7?

3 IETF Mailing Lists To Follow For Monitoring DNSSEC

Would you like to monitor the ongoing evolution of IETF standards related to DNSSEC?  If so, here are 3 IETF working group mailing lists you may consider joining.  All lists are open to anyone to join.  Do note that several of these can have a very large amount of traffic.  Each of the mailing list pages also contains a link to the mailing list public archives if you would like to see what is going on in the lists prior to (or instead of) subscribing.

  • dnsext mailing listdnsext charter

    The DNS has a large installed base and repertoire of protocol specifications. The DNSEXT working group will actively advance DNS protocol-related RFCs on the standards track while thoroughly reviewing further proposed extensions. The scope of the DNSEXT WG is confined to the DNS protocol, particularly changes that affect DNS protocols “on the wire” or the internal processing of DNS data. DNS operations are out of scope for the WG.

  • dnsop mailing listdnsop charter

    The DNS Operations Working Group will develop guidelines for the operation of DNS software servers and the administration of DNS zone files. These guidelines will provide technical information relating to the implementation of the DNS protocol by the operators and administrators of DNS zones

  • dane mailing listDANE charter

    The DNS-based Authentication of Named Entities (dane) working group will specify mechanisms and techniques that allow Internet applications to establish cryptographically secured communications by using information distributed through DNSSEC for discovering and authenticating public keys which are associated with a service located at a domain name.

    For more information about the DANE working group, see the article in the October 2011 IETF Journal: “DANE: Taking TLS Authentication to the Next Level Using DNSSEC