Category: Reports

New report: “State of DNSSEC Deployment 2016”

State of DNSSEC Deployment 2016

What is the current state of deployment of the DNS Security Extensions? (DNSSEC) How many domains are secured with DNSSEC? What actual usage are we seeing on the Internet? What software is available to help?

For years there have been many statistics about DNSSEC available, but it’s been hard to get an overall picture of deployment. To help with this, we’ve worked over the past few months to pull together as much information as possible into one document:

We encourage you to please read the document – and share it widely with people who need to understand more about the security of the Domain Name System.

We also welcome feedback on questions such as:

  • How helpful did you find the report?
  • What sections were particularly helpful? (or not?)
  • Is there additional information you’d like to see included in a future report?

You can post the feedback here as a comment – or send it to me directly via email.

Our intent is that this will be the first in an ongoing annual series of reports for at least the next few years until DNSSEC is more widely deployed.  Our goal is for the “State of DNSSEC Deployment 2017” report to be ready in time for the ICANN 60 DNSSEC Workshop happening in early November 2017 in Abu Dhabi.

I’d like to thank Chip Sharp for all his hard work assembling this report and incorporating feedback. I also want to thank the group of people who provided a quick final review and proofreading in the last weeks of December (noted in the final Acknowledgements section). And I want to thank everyone within the larger DNSSEC community who continue to share their information, statistics and more.

Please do share this State of DNSSEC Deployment 2016 report with others – and if you haven’t done anything with DNSSEC on your own networks or domains, please visit our Start Here pages to learn how you can begin! Together we can make the DNS – and through that the wider Internet – a bit more secure and trusted.

The post New report: “State of DNSSEC Deployment 2016” appeared first on Internet Society.

New report: “State of DNSSEC Deployment 2016”

State of DNSSEC Deployment 2016

What is the current state of deployment of the DNS Security Extensions? (DNSSEC) How many domains are secured with DNSSEC? What actual usage are we seeing on the Internet? What software is available to help?

For years there have been many statistics about DNSSEC available, but it’s been hard to get an overall picture of deployment. To help with this, we’ve worked over the past few months to pull together as much information as possible into one document:

We encourage you to please read the document – and share it widely with people who need to understand more about the security of the Domain Name System.

We also welcome feedback on questions such as:

  • How helpful did you find the report?
  • What sections were particularly helpful? (or not?)
  • Is there additional information you’d like to see included in a future report?

You can post the feedback here as a comment – or send it to me directly via email.

Our intent is that this will be the first in an ongoing annual series of reports for at least the next few years until DNSSEC is more widely deployed.  Our goal is for the “State of DNSSEC Deployment 2017” report to be ready in time for the ICANN 60 DNSSEC Workshop happening in early November 2017 in Abu Dhabi.

I’d like to thank Chip Sharp for all his hard work assembling this report and incorporating feedback. I also want to thank the group of people who provided a quick final review and proofreading in the last weeks of December (noted in the final Acknowledgements section). And I want to thank everyone within the larger DNSSEC community who continue to share their information, statistics and more.

Please do share this State of DNSSEC Deployment 2016 report with others – and if you haven’t done anything with DNSSEC on your own networks or domains, please visit our Start Here pages to learn how you can begin! Together we can make the DNS – and through that the wider Internet – a bit more secure and trusted.

 

NIST Releases New Version of Secure DNS Deployment Guide (SP-800-81-2, Including DNSSEC)

NIST SP-800-81-2 DocumentLooking for a solid document about how to securely deploy DNS, including how to configure DNSSEC?  We’ve written before about NIST’s excellent Secure DNS Deployment Guide and how it is very applicable to enterprises and organizations of all types, not just those of the US government.  This morning NIST’s Scott Rose announced that a new version, SP-800-81-2, has been published at:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf

The formal NIST announcement indicates that this new revision…

…adds two new sections – one to provide guidance on secure set up of recursive DNS service and the other for securely configuring validating resolvers. It also incorporates knowledge gained from DNSSEC deployment experience to provide some updated guidance for DNS Administrators on cryptographic algorithm variables, configuration and operations.

In his email to the dnssec-deployment mailing list, Scott noted:

This revision includes new sections with recommendations for the enterprise level admin in setting up recursive servers, including DNSSEC validation. Please send any comments to scottr at nist.gov and/or mouli at nist.gov, since I’m not sure if the old comment address is still working.

Note that this revision was in the pipe when NIST re-opened the comment period for the NIST SP 800-90 series, so any cryptographic recommendations are pre-discovery any may be subject to change if any new information comes to light.

It’s excellent to see this revision and we definitely appreciate all the work that Scott and the others do at NIST that helps accelerate the deployment of DNSSEC!

NOTE: Scott let me know that NIST is definitely seeking comments on this document.  Do you have suggestions for how it can be improved?  Is there additional information they could add?  Please contact him at the email addresses listed in his message.  He is asking for comments within the next 30 days.

 

Report: Signed Root Deployment – Framing the Issues (DNSSEC Industry Coalition, 2009)

Report on issues with signing the DNSSEC rootIn April 2013, Steve Crocker circulated this report with the following comment:

In June 2009, a year before the root was signed, the DNSSEC Industry Coalition, led by PIR, and the DNSSEC Deployment Initiative, held a symposium, Signed Root Deployment: Framing the Issues, to look at possible consequences of signing the root and the next steps after it was signed.

We had an excellent symposium and drafted a report.  Sadly, we couldn’t quite complete the editing process, so the draft lay unpublished, incomplete, since then.

The concerns expressed during the symposium about the consequences of a much larger root zone are now well behind us.  However, the sections on key distribution and use and on key rollover remain relevant, which is why we are pushing this draft out at this late date.

We are posting the report here at Steve’s request to make it available to the larger community.

ENISA Report On Secure Routing And Network Resiliency

What is the state of our routing infrastructure and what can be done to make it more secure and resilient?

In July 2010, the European Network and Information Security Agency (ENISA) published a report on this topic called:

It begins with a paragraph that I think will resonate with most of us:

Reliable communications networks and services are now critical for public welfare and economic stability. Intentional attacks on the Internet, disruptions due to physical phenomena, software and hardware failures, and human mistakes all affect the proper functioning of public communications networks. Such disruptions reveal the increased dependence of our society on these networks and their services. A vital part of reliable communication networks is the routing infrastructure.

The report goes on at great length to report on the result of a survey of network operators within the European Union about the use of – or plans to use – secure routing technologies within their networks.  The report is quite useful in the background that it first provides around routing security concerns and some of the proposed solutions.  It then goes into a detailed analysis of the survey results.

While the data is now close to three years old (the interviews were in March/April 2010), many of the points are quite similar to more recent analyses.  A key point I noticed was this:

Overall, the lack of available knowledge and skills in routing security is recognised as a major barrier hindering further improvements in routing security, as became clear both from the online survey and the interviews.

Addressing this point by helping promote more awareness and education around routing security / resiliency is a primary aspect of our new Routing section here on Deploy360!

Overall the report makes for good reading if you are looking to understand more about the topic or “routing resiliency / security.”  There has been a good bit of progress made within some of the working groups mentioned since the time of the report, but the report still provides a solid foundation and background.

Report: Routing Resiliency Measurements – Where We Are And What Needs To Be Done

What are the actual frequency of routing security incidents? And what are the operational and economic impacts of such security incidents?

We all know that “routing security” incidents happen, but it’s hard to get a grasp on exactly what the situation is.  To that end, our colleagues in the Internet Society Standards and Technology team organized a “Routing Resiliency Measurements Workshop” in November 2012 to bring together participants from network operators, research labs, universities and vendors to explore what we can measure now – and what we need to do to start collecting more accurate measurements.  The team has now published a report:

and our colleague Andrei Robachevsky has published some observations about the workshop.  As Andrei notes, the point of the workshop was to address three main questions:

  1. What level of attack has there been in the past – to what extent do security incidents happen, but go unnoticed, or get dealt with inside a single network, possibly introducing collateral damage?
  2. Are the number and impact of service disruptions and malicious activity stable, increasing, or decreasing?
  3. Can we understand why, and track it collectively?

The report goes into some detail on what was discussed in the workshop and some of the approaches that were outlined.  As Andrei relays in his post, the workshop didn’t magically produce answers to all these questions… but it did lay the foundation for where more work needs to occur.

As we open up the new topic area of Routing Resiliency / Security here on Deploy360, we intend to bring you more information from workshops such as these… and ultimately more of the solutions and best operational practices that can lead to a more resilient and secure Internet.

 

ENISA Report: Resilience of the Internet Interconnection Ecosystem

Seeking to understand routing resiliency and routing security? In this April 2011 report, “Inter-X: Resilience of the Internet Interconnection Ecosystem
“, the European Network and Information Security Agency (ENISA) provides an extremely thorough understanding of the complex ecosystem of connections between networks.

This document is highly recommended to anyone looking to understand how the Internet operates – and where there are opportunities for improvement.

As noted on the introductory web page, the study:

…looks at the resilience of the Internet interconnection ecosystem. The Internet is a network of networks, and the interconnection ecosystem is the collection of layered systems that holds it together. The interconnection ecosystem is the core of the Internet, providing the basic function of reaching anywhere from everywhere.

where “resilience” is defined as:

the ability to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation.

The comprehensive study outlines the challenges to both measuring the infrastructure of the Internet and to understanding the resilience of the network.  A key point is:

There may well not be an immediate cause for concern about the resilience of the Internet interconnection ecosystem, but there is cause for concern about the lack of good information about how it works and how well it might work if something went very badly wrong.

The report sets out to capture a good bit of that information and to lay out recommendations about how further work may be undertaken.  The document is available in two versions:

  • a 31-page “Executive Summary” report (PDF) that presents the major findings and recommendations and provides a decent tutorial into the issues and challenges.
  • a 239-page “Full” report (PDF) that goes into great detail about the “state of the art” with regard to routing and Internet interconnections, includes a section about how the report was developed and then includes a lengthy bibliography that is very useful in and of itself.

While originating in Europe, the document and its recommendations are globally applicable.

For a taste of the document, here is the table of contents of the Executive Summary report:

1 Summary

  • 1.1 Scale and Complexity
  • 1.2 The Nature of Resilience
  • 1.3 The Lack of Information
  • 1.4 Resilience and Efficiency
  • 1.5 Resilience and Equipment
  • 1.6 Service Level Agreements (SLAs) and ‘Best Efforts’
  • 1.7 Reachability, Traffic and Performance
  • 1.8 Is Transit a Viable Business?
  • 1.9 The Rise of the Content Delivery Networks
  • 1.10 The “Insecurity” of BGP
  • 1.11 Cyber Exercises on Interconnection Resilience
  • 1.12 The “Tragedy of the Commons”
  • 1.13 Regulation

2 Recommendations

  • Incident Investigation
  • Data Collection of Network Performance Measurements
  • Research into Resilience Metrics and Measurement Frameworks
  • Development and Deployment of Secure Inter‐domain Routing
  • Research into AS Incentives that Improve Resilience
  • Promotion and Sharing of Good Practice on Internet Interconnections
  • Independent Testing of Equipment and Protocols
  • Conduct Regular Cyber Exercises on the Interconnection
  • Infrastructure
  • Transit Market Failure
  • Traffic Prioritisation
  • Greater Transparency – Towards a Resilience Certification Scheme

More information about the report can be found on the ENISA web site.