Category: Whitepapers

Whitepaper: Balancing IP Address Distribution and Decentralization

A Fine BalanceHave you ever wondered about how IP addresses get distributed to Internet Service Providers (ISPs) and other network operators to give out to you in your home or office?  Regardless of whether for IPv6 or legacy IPv4 addresses, would you like to know more about how that process actually works?

In April 2013, some of our colleagues here at the Internet Society authored a white paper exploring these exact topics. Titled “A Fine Balance: Internet number resource distribution and de-centralisation“, the document has this for an executive summary:

Internet number resources (IP addresses and AS numbers) are distributed to resource users through processes that have evolved over time. Although initially centralised, the processes of policy formation and resource distribution have more recently been devolved to regional organisations. In addition, technology evolution has been embraced. IPv4 allocations have successfully evolved to meet the needs of the global community and IPv6 allocations, starting from a  clean slate, are now able to leverage this successful global platform. This decentralisation is a direct consequence of the expansion of the Internet to cover all regions of the globe and it serves a number of important functions. Decentralisation is not an end in itself however, and experience shows us that a careful balance and coordination are needed to ensure that the over-riding objectives of aggregation, conservation and registration continue to be met.

The commitment between the resource distributors and the resource users is bidirectional, and resource distribution is essentially an operational engineering  function that requires careful co-ordination and consensus building to succeed.Network operators have very strong incentives to partner with operationally  knowledgeable organisations when obtaining numbering resources and will  choose not to interconnect with networks that disregard this reality. As a  consequence, proposals either to further centralise or de-centralise the  processes whereby Internet numbering resources are distributed should be given  very careful consideration indeed, with maintenance of the fine balance that has  served the community well to date uppermost in our minds.

The document goes on to explain how IP address allocation began and how it evolved to the current model.  It is well worth a read for anyone seeking to better understand how the Internet really works at an operational level.

Excellent whitepaper/tutorial from SURFnet on deploying DNSSEC-validating DNS servers

SURFnet whitepaper on deploying DNSSECHow do you get started with deploying DNSSEC-validating DNS servers on your network?  What kind of planning should you undertake?  What are the steps you need to go through?

The team over at SURFnet in the Netherlands recently released an excellent whitepaper that goes into the importance of setting up DNSSEC validation, the requirements for using validation, the planning process you should use, etc.

As we note on our resource page about the whitepaper, the document then walks through the specific steps for setting up DNSSEC validation in three of the common DNS resolvers:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

For us to get DNSSEC widely available we need to have DNS resolvers on networks performing the actual validation of DNS queries using DNSSEC.  This guide is a great way to get started.

Have you enabled DNSSEC validation on your network?

Deploying DNSSEC: Validation on recursive caching name servers

SURFnet whitepaper on deploying DNSSECWhy should you deploy DNSSEC-validating DNS resolvers on your network?  What kind of planning should you do to prepare? What steps do you need to do?

The team at SURFnet has published a whitepaper titled “Deploying DNSSEC: Validation on recursive caching name servers” (PDF) that answers these specific questions and much more.  The document covers:

  • Cost and benefits of deploying DNSSEC
  • DNS architecture
  • Requirements before deployment
  • Planning your deployment
  • Operational requirements and practices

The document then gets into specific step-by-step instructions for three of the most common DNS resolvers:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

For people looking to deploy DNSSEC-validation within their network, this guide provides an excellent way to get started.

NIST’s Excellent Guidelines On How To Securely Deploy IPv6

Looking to understand how to securely deploy IPv6? Want a document you can provide to your security team or others concerned about IPv6?

If so, we’ve recently added to our list of resources an excellent “Special Publication” from the U.S. National Institute of Standards and Technology (NIST):

Guidelines for the Secure Deployment of IPv6

Like most of NIST’s special publications, including their excellent guide to DNSSEC, the document begins with a lengthy tutorial and then walks through a number of IPv6 security issues in great depth. It’s a very thorough document and includes detailed sections on the many different IPv4-to-IPv6 transition mechanisms as well as detailed appendices.

While the document naturally includes sections providing guidance for US federal agencies, the majority of the document is very applicable for anyone looking to understand issues of IPv6 security.  Well worth a read… and worth passing along to others who may be asking you questions about IPv6 security.

 

FCC Publishes DNSSEC Recommendations for ISPs

FCC CSRIC logoAre you are network operator or Internet service provider (ISP) seeking to understand what you need to do to implement DNSSEC within your network? Are you looking for guidance to help you understand how to proceed?

If so, the U.S. Federal Communications Commission (FCC) just published a set of “DNSSEC Implementation Practices for ISPs” through one of the working groups of its Communications Security, Reliability and Interoperability Council (CSRIC).  The 29-page PDF is available at:

http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC-III-WG5-Final-Report.pdf

The document provides:

  • A brief overview of DNS and DNSSEC
  • A view of the current state of DNSSEC deployment
  • How Internet Service Providers (ISPs) can use DNSSEC
  • An analysis of the key drivers and challenges for implementing DNSSEC
  • Specific best practice recommendations to ISPs for deploying DNSSEC

The key recommendations of the working group include:

  1. ISPs implement their DNS recursive nameservers so that they are at a minimum DNSSEC-aware, as soon as possible.
  2. Key industry segments, such as banking, credit cards, e-commerce, healthcare and other businesses, sign their respective domain names. The FCC ask industry-leading companies in key sectors commit to doing so, in order to create competitive pressure for others to follow. These industries may be prioritized based on the prevalence of threats to each one, which would mean focusing on financially related sites first, followed by other sites that hold private user data.
  3. Software developers such as web-browser developers study how and when to incorporate DNSSEC validation functions into their software. For example, a browser developer might create a visual indicator for whether or not DNSSEC is in use, or perhaps only a visual warning if DNSSEC validation fails.

We’re very pleased to see these recommendations as they are very much in line with what we’ve been promoting here on the site about DNSSEC – and are very much in line with our recent analysis of DNSSEC challenges and opportunities.

If you are an ISP or network operator, these recommendations from the FCC are definitely ones to consider and act on.  Kudos to the CSRIC Working Group and the FCC for publishing this document.

Thanks to the DNSSEC Deployment Initiative for pointing out that these recommendations were published.

FCC DNSSEC Implementation Guidlines for ISPs

In March 2012, the United States Federal Communications Commission (FCC) published a set of “DNSSEC Implementation Practices for ISPs” through one of the working groups of the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC).  The full report can be downloaded in PDF at:

http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC-III-WG5-Final-Report.pdf

The 29-page document provides the following:

  • A brief overview of DNS and DNSSEC
  • A view of the current state of DNSSEC deployment
  • How Internet Service Providers (ISPs) can use DNSSEC
  • An analysis of the key drivers and challenges for implementing DNSSEC
  • Specific best practice recommendations to ISPs for deploying DNSSEC

If you are a network operator or Internet service provider seeking to understand the steps you need to undertake to support DNSSEC, this document is highly recommended.

New Paper – “Challenges and Opportunities in Deploying DNSSEC” at SATIN 2012

This morning at the SATIN 2012 conference in London I (Dan York) will be speaking on the topic of “challenges and opportunities in deploying DNSSEC“. Basically I’ll be providing a view of our experience here at Deploy360 over the past 6 months in looking at how to accelerate the deployment of DNSSEC.  As we have been building up our list of DNSSEC resources, we’ve been taking a look at DNSSEC from the “user experience” point of view.  What are the pain points for network operators? for developers? for content providers? for enterprises?

Where are the opportunities to simplify the user experience and make it easier to deploy DNSSEC?

As part of this presentation at SATIN 2012, we created a 7-page paper documenting our findings.  You can download the PDF of this document at:

Challenges and Opportunities in Deploying DNSSEC (SATIN 2012)

As I note on the “resource” page for this paper, we look at the issue from the perspective of:

  • Domain name consumers - any person or application that is using a domain name.
  • Domain name holders - people or organizations who have registered a domain and, in the context of DNSSEC, want to sign the domain.
  • Domain name infrastructure operators - people or organizations that provide the actual service behind the Domain Name System and have a role to play in the DNSSEC signing and validation processes.

Creating the paper was a very useful process in that it helped us identify some of the places where we can add value through the Deploy360 program in the form of new DNSSEC tutorials, HOWTOs and other documents.  I hope that it will be helpful for others out there who are also looking at ways to help accelerate DNSSEC deployment.

I’d very much love to hear any and all feedback on the document.  This is very much a “progress report” of what we have found at this point in time and I expect the list of both challenges and opportunities to evolve over time.

What do you think of the list in this document?  Do you agree? Disagree?  Can you think of other opportunities for simplifying the user experience with DNSSEC?

Again, I’d love to hear from you, either as comments to this post, email to deploy360@isoc.org or via our feedback form

Whitepaper: Challenges and Opportunities in Deploying DNSSEC


At the SATIN 2012 conference on March 23, 2012, the Internet Society’s Dan York spoke about a paper that he and other members of the Internet Society staff developed outlining some of the challenges with DNSSEC deployment and identifying opportunities to simplify the user experience to accelerate DNSSEC deployment. The document is now available for download at:

Challenges and Opportunities in Deploying DNSSEC (SATIN 2012)

The document lays out the challenges and opportunities for:

  • Domain name consumers - any person or application that is using a domain name.
  • Domain name holders - people or organizations who have registered a domain and, in the context of DNSSEC, want to sign the domain.
  • Domain name infrastructure operators - people or organizations that provide the actual service behind the Domain Name System and have a role to play in the DNSSEC signing and validation processes.

Within each section, there are multiple subsections with specific examples.  The document concludes with some thoughts about additional opportunities to accelerate DNSSEC deployment and a lengthy list of resources for further exploration of the topic.

Our goal is that this document can stimulate further discussion about these points and lead to solutions that move DNSSEC deployment further.  We also will be using it within the Deploy360 Programme to identify areas where we need to add more DNSSEC resources to the site.

We welcome any and all feedback and comments, either directly here as comments to this page or sent to us via email or our web form.

Whitepaper: .SE Health Status Report on DNS and DNSSEC

This week the folks at .SE in Sweden released a report full of DNS and DNSSEC information and statistics related to .SE at:

.SE Health Status – DNS and DNSSEC (PDF)

Today at the SATIN 2012 event in London, Anne-Marie Eklund Löwinder from .SE discussed many of the statistics and information contained in the report.    She highlighted many of the major errors they’ve seen and provided an intriguing view into how DNSSEC is actually being deployed in terms of key lengths, encryption algorithms, etc.

At the time of the analysis in early February, .SE had 174,487 domains signed with DNSSEC out of a total of 1,195,719 registered domains.  The document contains a number of interesting charts and other data.

While this report is obviously about a single top-level-domain, it provides interesting insight into DNS and DNSSEC deployment.  Sweden has been a leader in DNSSEC deployment and we look forward to seeing future surveys and the continued growth in signed domains.  Thanks to the .SE team for providing this data to the larger community.

P.S. Want to learn more about how to deploy DNSSEC?  View our list of DNSSEC resources to get started!

Want to Deploy DNSSEC on Microsoft Windows 7 or Server 2008 R2?

MS DNSSEC Deployment GuideDo you operate a Microsoft Windows server infrastructure and would like to know how to implement DNSSEC? If so, Microsoft published a “DNSSEC Deployment Guide” to help administrators of Windows Server 2008 R2 and Windows 7 systems.

The comprehensive document explains what DNSSEC is all about, walks step-by-step through each process and also provides easy checklists to use as a reference during deployment and ongoing operation.

I no longer administer Windows Servers so can’t personally attest to the usefulness of the guide.  In reading through it, my initial reaction is that there seems to be very little GUI management of DNSSEC. Most of the administration seems to involve use of the ‘dnscmd’ command-line tool.  While that’s perfectly fine by me, given that I’ve a big command-line fan, I suspect that many regular Windows administrators may wish they could execute these commands through one of the administration tools Microsoft provides. The document also was last updated in March 2010 and thus pre-dates the signing of the root in July 2010. With the root signed, the section on distributing trust anchors may no longer be quite as applicable.

Regardless, this appears to be the most recent document provided by Microsoft and so if you have a Windows-based server infrastructure you may want to check it out.  I’d note that this document only applies to Windows Server 2008 R2 and Windows 7.  Earlier versions of Windows Server had much more limited support for DNSSEC.

If you are a Windows administrator, what do you think?  Is this document helpful? Useful?  What could Microsoft do to make DNSSEC deployment easier on Windows Server 2008 R2 or Windows 7?