Read full story: Dark Reading

With the application window now open for a round of new TLDs, a lot of companies will be stepping up to run a TLD for the first time. No one is saying it's impossible to do that on your own. But, as many erstwhile registry operators find, running a domain can easily distract from core business, even a business that is seemingly aligned like Web hosting or domain retailing. Imagine what a distraction that would be for a major corporation or for a geographic region that might have excellent technology staff but not a core infrastructure designed to support a TLD.

It's for reasons like those that you should work with a registry services provider if you are pursuing a new TLD. While I'm proud to say that I believe Afilias is the best one out there, I can also say that we're not the only one. If you're an applicant (or considering applying) for a new TLD, you should keep in mind the level of experience your registry services partner has — both in length of time servicing domains and the number and kinds of domains serviced.

For example, the needs of a country-code TLD are different from those of a gTLD. Afilias supports both types, so we understand the difference. Has your partner had experience with gTLDs or only with ccTLDs? ICANN-contracted gTLDs operate under more stringent requirements than other TLDs, and they must provide monthly reports to ICANN on performance. ccTLDs operate independently from ICANN and do not have the same requirements as gTLDs.

Has your partner supported any new TLD launches? New TLD launches are much more challenging than day-to-day operations. Examine their experience with new TLDs before making your selection.

Or does your partner have experience with DNSSEC? All gTLD domains that are delegated in this round must be DNSSEC signed. A partner with proven DNSSEC experience will make it much easier for you to bring your domain to market.

Remember that the window to apply for a new TLD is limited, and closes on April 12, 2012. If you're seriously in the market for your new TLD, you will need to act now. But don't forget to find the right registry services partner; that will be a major key to your success.

Written by Roland LaPlante, Senior Vice President and CMO at Afilias

BlueCat Networks, the IPAM Intelligence™ company, today announced that it has collaborated with the UK Cabinet Office on a best practice approach for deploying a resilient, IPv6-ready DNS service for the Public Sector Network (PSN). The PSN is a CIO Council initiative designed to create the effect of a single network across government.

"The security of business and network services accessible to users over the PSN is of paramount importance," said John Stubley, Public Sector Network — Program Director. "Over the past year, we have worked productively with BlueCat Networks to identify the technical issues to ensure our DNS core services are authoritative, resilient, scalable and easy to manage. BlueCat Networks has been extremely responsive in answering our requests and has provided expertise to the PSN Programme for this area of work."

"The PSN is a key component of the UK's ICT strategy, and will allow public sector users in the UK to more easily share information and access open standard-based services," said Matthew Pearson, UK and Ireland Sales Director, BlueCat Networks. "We are pleased to have the opportunity to work with the Cabinet Office and the PSN in a technical advisory role. BlueCat Networks contributed to the architecture and configuration for a centralised, authoritative DNSSEC and IP Address Management (IPAM) solution for .gov.uk domains. The approach had to be easy to manage, resilient, geographically-dispersed and scalable to support the network backbone for the whole of the United Kingdom. It also had to be future-ready with support for IPv6. Our recommendations were based on our experience in helping US government agencies successfully deploy DNSSEC and IPAM across their large, distributed networks."

BlueCat Networks' appliance-based software solutions provide a purpose-built platform for IP Address Management (IPAM) and DNS/DHCP core network services. Deployed at some of the most demanding and secure organizations in the world, BlueCat Networks' physical and virtual appliances help public and private sector organizations improve security, lower costs and increase IT efficiency. BlueCat Networks' solutions also allow organizations to securely manage change and growth with unsurpassed scalability and future-ready support for IPv6 and DNSSEC.

For a free trial of BlueCat Networks' DNS, DHCP and IPAM solutions, visit http://pages.bluecatnetworks.com/FreeTrial.

"The connected world is also an IP-dependent world," said Michael Hyatt, co-founder and CEO of BlueCat Networks. "By working with HP, we are helping commercial and government organizations successfully make the transition to IPv6, which is a key technology for enabling successful IT initiatives including virtualization and the cloud today and in the future."

By combining IPAM with HP Network Consulting for IPv6 services, enterprises and governments will be able to enhance network flexibility and scalability to support critical IT initiatives, such as virtualization and cloud computing. These services enable a seamless transition to an IPv6 connected world by assessing IPv6 readiness, as well as architecture and design, integration and deployment.

"Organizations need to look ahead to the IPv6 transition to maintain the connectivity needed for real-time responses to business needs," said Imran Khan, vice president, Networking Consulting, Technology Services, HP. "The combination of offerings from HP and BlueCat Networks will help organizations ensure seamless connectivity and business continuity during the IPv6 shift."

Deployed at some of the most demanding and secure organizations in the world, BlueCat Networks' IP Address Management solutions provide an essential technology for helping organizations transition to IPv6, launch new IP-dependent services including virtualization and clouds, and manage network growth and change.

For more on this announcement please visit www.bluecatnetworks.com/hp.

For free trial software, please visit http://pages.bluecatnetworks.com/FreeTrial.

For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers rather than by bloggers. REFUSED will not work for PIPA and SOPA's purposes, for two important reasons.

First, as I explained in DNS Policy is Hop by Hop; DNS Security is End to End, there is no security for the REFUSED signal. Since IP source addresses are easily forged no secure application can ever take an unsecure signal seriously. In DNSSEC, even failures must be secure or else any attacker can control the decisions made by an app. Since one such possible decision might be to retry an operation using a less secure method, we would call this a "downgrade attack". DNSSEC secures the data from end to end — meaning from the DNS content server to the secure client — but does not secure any of the messages that flow hop by hop through the DNS system — including REFUSED. In fact, the intermediate servers (including the ISP name servers to be regulated by SOPA and PIPA) don't have any kind of trust relationship with each other and can neither generate nor verify any secure messages. This may seem like an oversight but I was there and I remember this as a conscious and deliberate decision based on the cost-to-benefit ratio of adding hop by hop security to DNS. High cost, low benefit: no sale.

Second, and more importantly, REFUSED is the wrong signal. The preeminent DNS software on the Internet is BIND, whose market share has declined from 99% to 85% in the last 25 years. I maintained and rewrote BIND from 1989 or so until 1999 or so and I am also the author or co-author of a half dozen or so Internet RFC documents on the subject of DNS. So I know that we send REFUSED in response to a query when we don't like the client's IP address — DNS servers do not even look at the question before deciding whether to send REFUSED. On the client side, if we hear a REFUSED we give up on that server and move on to the next server — which means we assume that it was the client's IP address that the server is refusing, not the question we happened to be asking at that moment. Microsoft Windows will actually "de-preference" a name server if they hear too many REFUSED messages from it — so BIND is not the only DNS software that interprets REFUSED in this way. What this boils down to is that REFUSED is all about the relationship between the client and the server, and has nothing to do with the particular question being asked. If SOPA or PIPA becomes law with a requirement to signal REFUSED when someone looks up an infringing or pirate domain name, then in the language of DNS we will be saying "please stop asking this server any questions at all." There is no signal in DNS that means "that's a bad question but please feel free to ask other questions."

This means a classic non-secured DNS client will react to a REFUSED signal by treating the server as broken and just asking the next available server — hoping to find a server that is not broken. Whereas a newer DNSSEC client will react to REFUSED by ignoring it and continuing to wait — hoping for a real answer that might follow close on the heels of the potential forgery. In the unsecure case, the client will often do what the proponents of SOPA and PIPA would seem to want — display an error message in the web browser — but will occasionally just repeat the whole transaction a fraction of a second later, increasing the load on the ISP's name servers. In the DNSSEC case, the client will not do PIPA or SOPA are asking, there will just be delay followed by trying some other server, or retrying through a proxy, or otherwise circumventing what will look to DNSSEC like just another broken hotel or coffee shop wireless network.

In summary, REFUSED doesn't mean what supporters of SOPA and PIPA want it to mean and no amount of new law can change that. There is in fact no signal in DNS that conveys the meaning of SOPA and PIPA, and every protocol perturbation thus far suggested by the supporters of SOPA and PIPA will look to DNSSEC like an attack or failure requiring circumvention. I urge anyone interested in adding new signals to DNS to please participate in the Internet Engineering Task Force (IETF) to work on a new Internet RFC document on this topic. As an open and transparent peer driven engineering forum, the IETF is ideally placed to study this problem, determine whether a solution is possible, and standardize such a solution for use on the global Internet.

Written by Paul Vixie, Chairman and Chief Scientist, Internet Systems Consortium

BlueCat Networks, the IPAM Intelligence™ company, will host a live webinar on January 19 featuring Forrester Research, Inc. to discuss the "Five Reasons DDI is Critical to the Network."

"Much of IP, Dynamic Host Communication Protocol (DHCP), Domain Name Services (DNS) management requires too much hand holding; administrators spend time allocating addresses, capturing unused ones, uploading new records, or checking for errors," wrote Andre Kindness, Senior Analyst, Forrester Research, Inc. in a December 7, 2011 blog post. "On average, it takes two days to allocate a set of addresses for the deployment of new servers when it's 5 minutes of work."

A December 2011 report from Forrester provides guidance on why organizations should move off spreadsheets or a homegrown DDI solution and surveys the top commercial DDI solution vendors. A complimentary copy of the Forrester Research report is available at: www.bluecatnetworks.com/forrester.

In the BlueCat Networks webinar, guest speaker Andre Kindness will share key findings from the Forrester Research report "An Infrastructure Can Only Be As Efficient As DNS, DHCP, and IP Address Management" (December 2, 2011) including what to look for in a DDI solution and the capabilities that make BlueCat Networks a top choice for DDI.

"We are pleased that BlueCat Networks is positioned as a top DDI solution in the recent Forrester Research report," said Michael Hyatt, CEO and Co-Founder of BlueCat Networks. "Our IP Address Management solutions not only deliver the automation and intelligence needed to build a more flexible and efficient network, they also provide a critical foundation for helping organizations keep pace with emerging business and IT priorities such as the cloud, virtualization, IPv6 and DNSSEC."

To register for the solution webinar "Five Reasons DDI is Critical to the Network," please visit: www.bluecatnetworks.com/forrester.

First, let us say that Afilias supports SOPA's ultimate outcome, which is intellectual property protection. The protection of intellectual property is as important to technology companies as it is to musicians and movie producers. However, if the US is to attempt to tackle the problem with legislation, it should do so in a way that does not increase risk to its citizens and reduce confidence in the Internet.

One significant problem with SOPA is technological. Afilias is a strong supporter of DNSSEC, the next-generation security standard for trustworthy DNS, but some of the provisions of SOPA threaten to undermine the security leaps that the technology is ready to create. DNSSEC promises to make the DNS more reliable, mitigating the risk of phishing and pharming. Chains of trust, connecting through a distributed network of cryptographic signatures, will enable applications to ensure that criminals do not tamper with domain name queries.

For DNSSEC to reach its full potential, though, the chains of trust must be end-to-end; the standard was developed to prevent DNS-based man-in-the-middle attacks. SOPA, however, would require ISPs to execute what DNSSEC would interpret as a man-in-the-middle attack every time they are forced to block an allegedly abusive domain name. If applications are unable to tell the difference between a criminal attack and a legal, court-mandated interception, DNSSEC could become virtually useless.

The legislation would also make it easier for criminals to engage in many types of online fraud, including identity theft. This unintended consequence would come about largely as a result of user behavior.

SOPA would require American ISPs to redirect or ignore DNS queries destined for allegedly infringing websites; however, their customers are under no obligation to use their ISP for DNS service and these blocks will be trivial to circumvent. Even today, millions of Internet users choose to take their DNS from third-party services such as OpenDNS and Google since switching providers takes just a few minutes and requires virtually no technical knowledge. Now, even before SOPA passes, we're already seeing the emergence of rogue overseas DNS providers — some of them operating via easy-to-install browser plug-ins — that promise to resolve piracy domain names even if they are subject to a SOPA interception order.

Third-party DNS providers offer a valuable service to Internet users, but DNS services that are created purely to enable access to pirated material risk the security of their users. Criminals will be able to transparently capture all DNS traffic, including traffic destined for banks and other financial institutions. They will be able to send unwitting victims to phishing servers they control. Imagine losing your banking security credentials to an attacker because your teenager reconfigured the DNS settings on your shared home computer. That's a probable risk when DNS filtering becomes the legal norm.

Fortunately, SOPA is not inevitable. While it has the support of some lawmakers, others are starting to pay serious attention to the concerns of the Internet's technical experts, as well as the people who elected them.

When Congress returns in early 2012 to consider SOPA and other anti-piracy legislation, Afilias hopes the volume of dissent will have been turned up sufficiently that lawmakers will not be able to ignore the very real problems the legislation could create.

Top 10 Featured Blogs in 2011:

1. A Fairness 'Scorecard' for Trademark Protection Under the New gTLDs
   By Konstantinos Komaitis, Feb 23, 2011 (33,350 views)
2. IP Addressing in the New Age of Scarcity
   By Peter Thimmesch, May 27, 2011 (21,563 views)
3. Smartphones: Too Smart for Mobile Operators?
   By Henry Lancaster, Aug 03, 2011 (21,144 views)
4. On Mandated Content Blocking in the Domain Name System
   By Paul Vixie, Mar 18, 2011 (16,315 views)
5. Court Approves Nortel's Sale of IPv4 Addresses to Microsoft
   By Benson Schliesser, Apr 27, 2011 (13,173 views)
6. The Design of the Domain Name System, Part VIII - Names Outside the DNS
   By John Levine, Sep 17, 2011 (12,399 views)
7. Top Public DNS Resolvers Compared
   By Michael Meisel, Apr 07, 2011 (12,217 views)
8. Why the Lawsuit Against .XXX Maybe the Best Sales Tool Ever For New gTLD Applicants
   By Michael Berkens, Nov 17, 2011 (9,466 views)
9. Independence and Security Online Have Not Yet Been Won
   By Mike Dailey Jul 03, 2011 (9,373 views)
10. Comcast’s Impressive System for Notifying Infected Users
    By J.D. Falk, Mar 01, 2011 (9,216 views)

Top 10 News in 2011:

1. New Top-Level Domains Approved By ICANN
   Jun 19, 2011 (44,312 views)
2. ICANN Approves .XXX
   Mar 18, 2011 (20,936 views)
3. Experts Urge Congress to Reject DNS Filtering from PROTECT IP Act, Serious Technical Concerns Raised
   May 26, 2011 (12,284 views)
4. Microsoft Offers $7.5 Million to Buy 666,624 IPv4 Addresses
   Mar 25, 2011 (9,600 views)
5. Egyptian Government Shuts Down Most Internet and Cell Services
   Jan 28, 2011 (3,988 views)
6. US Government Domain Seizure Results in Unintended Shutdown of Thousands of Websites
   Feb 16, 2011 (3,962 views)
7. J.D. Falk: 1974 - 2011
   Nov 17, 2011 (3,918 views)
8. Cybercriminals Shifting Focus From Windows PCs to Other Systems and Mobile
   Jan 20, 2011 (3,823 views)
9. Researchers Report New Method for Detecting Domain-Fluxing
   Mar 28, 2011 (3,633 views)
10. Microsoft, Federal Agencies Take Down Rustock Botnet
    Mar 18, 2011 (3,607 views)

Top 10 Industry News in 2011 (sponsored posts):

1. Google Says "Think Mobile" ...and then goMobi
   By dotMobi, Feb 15, 2011 (6,120 views)
2. The Botnet-Counterfeit Drugs Connection
   By MarkMonitor, Apr 01, 2011 (4,928 views)
3. New gTLD Timeline Announced and .XXX Approved
   By MarkMonitor (4,253 views)
4. Second Half 2010 "Dashboard" Domain Name Report - Released
   By PIR, Feb 14, 2011 (3,666 views)
5. MarkMonitor Report: How Scammers Generate Significant Traffic Promoting Suspected Counterfeit Goods
   By MarkMonitor, Feb 01, 2011 (3,536 views)
6. AusRegistry Int. and Crowell & Moring Join Forces to Support New Top-Level Domain Applicants
   By ARI Registry Services, Mar 14, 2011 (3,507 views)
7. Celebrity Marketing Guru Jeffrey Hayzlett to Promote New TLDs for AusRegistry International
   By ARI Registry Services, Jun 17, 2011 (3,472 views)
8. Minds + Machines’ Parent Company, TLDH, Appoints Peter Dengate Thrush as Executive Chairman
   By Minds + Machines, Jul 17, 2011 (3,457 views)
9. DNSSEC is Just the Beginning
   By .CO Internet, Mar 02, 2011 (3,421 views)
10. Landrush for New Domain Extension - .GR.COM
    By CentralNic, Jan 11, 2011 (3,421 views)

Written by CircleID Reporter

After I finished reading this op-ed, I began to see that there is not a clear understanding among DNS laymen as to the difference between "end to end" and "hop by hop" signaling systems. I hope to illuminate this difference and its relevance to the policy debate about DNS controls as contemplated by the Stop Online Piracy Act (SOPA). I will use the story of DNSSEC's treatment of NXDOMAIN as an illustrative example. My goal is to move the underlying debate forward to a new stage where the questions being debated are respectful of both the laws of physics and the rules of the DNSSEC protocol.

DNSSEC is an "end to end" system, where digital signatures are applied to DNS data by the originator of that data — who is the owner of the DNS name. So, only the United States Government (USG) can authoritatively state that the Internet address of INTERWEB.NIC.MIL is 207.132.116.20, because only USG and its contractors possess the private signing key that is known used by NIC.MIL. If any ISP who carries this DNS information decides to modify it in any way, then the digital signature will be wrong. Any DNSSEC capable name server or web browser would discard the modified DNS information because its digital signature would not match the signing key for NIC.MIL. Similarly, any DNS answer that arrives without any digital signature at all would also be discarded, since the receiving DNS server or web browser would know that NIC.MIL is signed and so would have to assume that any unsigned response is a "man in the middle" attack of the kind popularized by Dan Kaminsky in 2008.

DNS has several possible response codes, of which two (0 for "success" and 3 for "name error") are end to end, meaning that they are assertions which can only be made by the owner of a name. To secure the DNS it was necessary to add digital signatures for both of these response codes. Continuing from the above example, only USG and its contractors possess the signing key needed to authoritatively state that FOO.BAR.MIL does not exist. If any ISP between the USG name servers for ".MIL" and the end user's name server or web browser modifies a response to assert that something does not exist when it actually does exist, then this modification will be detectible by the absence of a digital signature, or by the presence of an invalid digital signature. There is just no way for intermediaries to successfully insert lies into the DNS data stream once DNSSEC is in use.

The other DNS response codes, such as 1 for "format error", 2 for "server failure", 4 for "not implemented", and 5 for "refused", are "hop by hop" codes. They tell an end user's name server or web browser nothing about the name they are looking up. Rather, these codes are statements about the name server itself. Because digital signing keys are associated with domain names and not with name servers, none of these other response codes is secured by DNSSEC. So, when an end user's name server or web browser receives a DNS message containing one of these response codes, there's a viable possibility that the message was generated by an attacker — a "man in the middle". Secure systems including both DNSSEC itself as well as any applications based on DNSSEC will necessarily ignore these unsigned responses or else they would be susceptible to a "downgrade attack". If a banking application is trying to start up in its most secure mode and sees a "NOTIMP" or "REFUSED" response, its reaction will be to try other name servers hoping to find one that is not broken in the same way. Failures and attacks have an identical appearance to a properly secured system.

It may be possible to design "hop by hop" security into DNSSEC. However, this was not a development goal during the major DNSSEC development effort from 1996 to 2009. Doubtless there are strong governments around the world who would like to be able to modify DNS data in flight without triggering any suspicion by their end user citizens or by secure applications. It is not too late for such governments to form a work party for these features and to offer their detailed design to the the IETF for consideration in a future edition of the DNSSEC protocol, and if successful, work to incorporate these new features into the Internet's operating DNS. Until and unless that is done, DNSSEC will remain tamper-proof.

It would be ignorant and wrong-headed to codify in law a requirement that hop by hop security features be used before there is proof that these features can be defined and deployed in what is today an end to end security system.

Written by Paul Vixie, Chairman and Chief Scientist, Internet Systems Consortium

Unfortunately, that is changing and changing rapidly due to misguided government intervention. Ever since 2000, when we witnessed the LICRA v. Yahoo! conflict, we have had governments taking actions that move us away from the utopian vision of early netizens towards a dystopic, unrecognizable Internet.

This past month has been incredibly busy in terms of misguided governmental interference. Here is a short list of recent governmental bloopers and why they are deeply flawed;

1. Put out a RFP to run the core names and numbers entity (the IANA) but limit it to US organisations. For over a decade, other governments have complained bitterly that the US "controls the Internet". This move further entrenches that flawed perception but serves no actual purpose since it is nearly inconceivable that any entity other than ICANN (based in California) will get this no fee contract from the Department of Commerce. Serving turkey at Thanksgiving is an American tradition, but this move elevates the term "giving the bird" to new heights. Governments unhappy with this decision have another reason to try to "split the root" or build their own set of nameservers that they can control.

2. Propose a UN Committee for Internet-related policies (CIRP). India has done this in the UN General Assembly. Earlier this year, India, along with Brazil, and South Africa floated their "IBSA Proposal" [PDF] to near universal criticism. Despite this, the Indian delegate at the UN still said that CIRP would, inter alia,

"coordinate and oversee the bodies responsible for technical and operational functioning of the Internet, including global standards setting."

Since this is completely unlike the current situation in which the technical and standards bodies operate independently, developing standards and policies in open to all, bottom-up, transparent and consensus based processes this proposal seems aimed at breaking the "Internet Model" [PDF]. This model, sometimes called the Internet eco-system [PDF] has given us the Goose that lays the Golden Eggs. An excellent description of this is well worth reading, and as one commenter suggested "The model is so important that a threat to the model is a threat to the Internet itself." Because some governments are so angry about US unilateral control over Critical Internet Resources (see #1 above), they are willing to kill the Goose, thus ensuring no one gets the Golden Eggs.

3. Start a new Thanksgiving tradition of censoring websites without due process. Last year the rojadirecta case caused quite a stir in Internet governance circles. It seems that ICE will continue to do this until your lolcatz are replaced with this, only then will we see the public at large up in arms.

The rojadirecta case was striking in that ICE not only asserted authority over content (found to be legal in Spain, where rojadirecta is located) stored on a webserver outside the USA, it censored the website that only carried (allegedly) infringing links, as rojadirecta does not have the actual content that were thought to be infringing. Again, the US government angers the rest of the world. It may also be useful to point out that seizing the domain did not stop rojadirecta, they just moved their website to multiple other domains.

4. Be hypocritical. Proclaim your support of Internet Freedom abroad and actually fund projects that are doing excellent work to protect freedom of speech online with one hand while using the other to restrict those freedoms (see #3 above) not just for your citizens, but for billions of Internet users worldwide.

5. Make pressing a facebook "like" button a criminal act. Well done, Thailand for giving us a humorous interlude in this long, boring post!

6. Issue a court order instructing non-profit public interest organisations outside the USA (and one in Virginia) to take specific actions in the databases they manage. In some cases, these actions may violate contracts the organisations have signed with their members. Once again, a unilateral action by a government actor throws sand in the gears of a well-oiled Internet policy system that has taken decades to evolve.

7. Propose legislation that not only censors Internet content on allegations alone, but that requires ISPs and ANYONE who runs a caching DNS server, a search engine, advertising or payment network to police content. In the USA, there is an intense battle over this SOPA/PROTECT-IP legislation that actually reaches in to DNS servers and mandates filtering by server operators.

As the CDT and many others (including myself as a signatory) have argued, the DNS is not the appropriate place to do this.

DNS name queries should be and accurately translated into DNS name responses regardless of query source or query subject. That's the design of the DNS and it does its job billions of times per day. This legislation would mandate that your DNS server send you a lie when you made specific queries. Internet broken, plain and simple. In addition, our new DNS Security extensions are incompatible with a lying DNS server. The DNS is the wrong focal point to attack this problem.

Besides the breakage, the measure, as originally proposed (and as amended) just wouldn't work to Stop Online Piracy (House bill) or PROTECT-IP (Senate). It's trivial to register a new domain name, or find a new DNS service provider and let's not forget the content "lives" on webserver somewhere that has an IP address, so filtering DNS replies does not remove the content. Of course, one domain name can have many sub-domains, so taking down one domain can affect hundreds of perfectly innocent websites (as happened in last years Thanskgiving ICE takedown).

8. Hold hearings to put pressure on the organisation that manages Internet name and number resources to delay a program that is a result of more than 7 years of bottom-up policy making processes. Two separate House committees put ICANN on the hot seat this week because Congress clearly doesn't understand that they don't get to make these policies, they are just one stakeholder among many. I applaud ICANN for sticking to their agreed upon schedule for adding more gTLDs to the root;

"This process has not been rushed," said Kurt Pritz, SVP of ICANN. "Every issue has been discussed. No new issues have been raised. The people at this table participated in this debate."

Even though I have never been a proponent of new gTLDs, I understand that the Policy Development Process has finished and I accept the result. Whinging to Congress is just bad politics for the ANA and others who testified at the hearings if they ever want to be taken seriously in ICANN policy making going forward.

On the face of it, all of these disjointed legislative, judicial and executive actions would seem to argue for a global set of rules that all governments would abide by. We saw during WSIS however that the US is not about to give up the one lever of control they have over Internet names and numbers, nor are other governments willing to give up sovereignty over what happens in their territories.

If, by some miracle, a deal was reached on a treaty, this would be even more disastrous than individual governments making bad policy decisions. Having nearly 200 UN Member States making Internet policy in a top-down governments only setting would only multiply the badness of the bad ideas listed above. Do we really want China, Burma and Iran (just to mention a few) making decisions on what content we can consume or create?

Governments and Intergovernmental bodies are supposed to serve the public interest. Unfortuantely, they don't grok the Internet and their knee-jerk efforts are a threat to the Internet as we know it. They can best promote the public interest by NOT regulating the Internet.

Written by McTim, Co-Chair of the African Network Information Center Policy Development WG

I accepted the invitation and set up a separate domain. My own interest in this was of course to track the usage of IPv6 and validation of DNSSEC from the visitors of the site. You can see the results from last year's test here on CircleID.

Also for this year my company Interlan was involved in terms of load sharing. My special interest also stayed the same and the test this year was done in the exact same way, except for the fact that only one camera was used this year.

How did we do this? Below is a brief description:

At the time of the premier of the 2011 Christmas Goat, November 27, 2010, the following was set up: http://www.julbockmedipv6ochdnssec.se/kamera1 (no longer active)

In order to:

• Track native IPv6 with a RR with A and AAAA.

• Track those who can run IPv6 native or tunneled.

• Track validating DNS-resolvers with a domain that has a faulty DNSSEC.

From the above we were able find out that both usage of native IPv6 and DNSSEC validation have increased quite a lot this year. The native IPv6 users increased from 0.1% to 0.5% and the DNSSEC validation from 44% to 72%.

52% of all visitors were able to reach the http://[2001:b48:10:3::215]/ipv6.jpg where 74% running Teredo, 25% 6to4 and 1% native IPv6.

Unfortunately the Christmas Goat did not have the same luck as the one in 2010. By the morning of Friday, the 2nd of December, it was burned down.

The total time of the test this year was hereby limited to a short period. But with the experience from the test last year, and this year, I only need few days to get quite an accurate percentage of the use of IPv6 and DNSSEC from the visitors. This year I did a check after two days, last year I checked several times and the result was surprisingly correct after only a few days.

The operating systems used by visitors were also as expected: Windows 7, Mac OS X and different smartphones were up and Windows XP and Vista down.

Hopefully I will be back in 2012 with another update on the IPv6 — DNSSEC usage via the Christmas Goat in Gavle!

For now, a Merry Christmas and a Happy New Year to you all!

Written by Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

In the time since then, the U. S. House of Representatives has issued their companion bill, H. R. 3261 ("SOPA") and all indications are that they will begin "markup" on this bill some time next week. SOPA contains a DNS filtering mandate similar to PIPA's, and our arguments about the technical unworkability of PIPA are entirely accurate about the technical flaws in SOPA. We've also heard rumours of a possible "compromise" whereby Congress may be willing to water down these bills and require that DNS lookups for infringing web sites are simply not answered, as if that would be somehow better than answering with a pointer to a government warning page.

This is not a compromise, and would not work anyway. Today we're sending a letter to the chairmen, members, and staffs of the committees in the House and Senate who are trying to figure out how to re-engineer the DNS to protect brands and intellectual property from online infringement. The simple fact is, DNS doesn't work the way Congress needs it to work, and mandated interception in any form will not make it so.

In other news, I participated in a panel at Stanford University's law school the other night, topic: "What's Wrong With SOPA?". While we had no SOPA proponents on the panel itself, we had plenty in the audience, as the Q&A will show. The video is here. And if you missed the webinar last month where we discussed the dangers of PIPA (and SOPA) with some ISP's, the audio is here.

Written by Paul Vixie, Chairman and Chief Scientist, Internet Systems Consortium

Perhaps the most encouraging update came from CZ.NIC, the manager of Czech country-code top-level domain .cz, which has been aggressively promoting DNSSEC since 2009. According to CZ.NIC's Ondrej Filip, 17% of domains in the .cz zone are now signed. That's 145,000 domains, making .cz probably the most DNSSEC-saturated zone in both relative and absolute numbers.

This level of rapid uptake was achieved through a combination of registrar outreach, incentives, and end-user marketing, Filip said. Registrars received free training, co-marketing assistance and increased rebates from CZ.NIC for signing domains. Three .cz registrars have now signed all of their customers' domains by default and free of charge, which accounts for the big uptick earlier this year.

Larger ccTLDs and gTLDs signed their zones later and have seen lower adoption so far. Roy Arends of Nominet said that 226 domains use DNSSEC in .uk, following the signing of second-level zones such as .co.uk and .org.uk in May. However, Arends also reported seeing increasing levels of DNSSEC queries coming from resolvers, suggesting that ISPs in the UK are beginning to support the technology, bringing secure DNS one step closer to end users.

Vincent Levigneron of .fr registry Afnic said that there are only 30 signed domain names of the two million in .fr, and only 1% of its accredited registrars offer the technology, about a year after .fr was signed. VeriSign's Joe Waldron reported that .com had 4,436 signed domains in mid-October, about six months after DNSSEC went live in the 100-million-strong zone.

Waldron, along with Afilias' Jim Galvin, shared .org data and explained that DNSSEC can be complex for registrars to implement in gTLDs where inter-registrar transfers are commonplace and easy. When a domain name is transferred between two registrars that also bundle DNS with their services, the DNSSEC records must also be transferred. This becomes more complex when a registrant uses a third-party provider for their DNS needs. Mistakes could lead to validation failures and downtime — and that is unacceptable to customers.

Galvin explained that work is underway on best practices for inter-registrar transfers of DNSSEC-signed domains when a third-party operator needs to be in the loop. DNS services currently bundled with registration services will need to be functionally decoupled to make a coordinated handover more reliable, and registrants will need to be well-informed about how to transfer their DNS functionality as well as their domains.

As I've previously written, the road to universal DNSSEC deployment will be long and fraught with challenges. Open industry discussions and the sharing of experiences and best practices — the likes of which we saw once again at ICANN Dakar — can only help make the roll-out shorter and easier for all concerned. DNSSEC deployment is something the Internet is relying on us all to do, and we're getting there, one step at a time.

Written by Ram Mohan, Executive Vice President & CTO, Afilias

Here's some recent coverage:

• Cecilia Kang of the Post
• Declan McCullagh of CNET
• Zack Whittaker of ZDNet

I wrote about the Senate version of this bill, PROTECT IP, back in July. Some very smart people like Paul Vixie have pointed out how so-called "DNS filtering" won't stop access to pirated content online, but is a very dangerous precedent for how the Internet operates. It would also hamper the adoption of DNSSEC, which will improve online security.

What's really interesting this week is how the tech giants are taking the message directly to the people. There's a well known term in Washington called Astroturfing, in which a corporate or political campaign is made to appear like a spontaneous, grass-roots movement.

With the ubiquity of some of the consumer services provided by the tech giants, they have the ability to create a "real" Astroturf effort, so to speak. Check out the Mozilla start page today, seen by millions daily (click to enlarge):

Which leads to this:

Other organizations are doing similar online messaging. As stated above, the technical objections to SOPA have been well illustrated. If the CircleID community will indulge an over-simplification, let's consider this policy struggle from a viewpoint not covered by the reporters above.

One could view this as a battle between big companies that charge consumer money for things — songs, movies, goods — vs. big companies that give consumers services for for free search, news, games, telephony. (Put aside for a moment these free services are paid for by an advertising model that requires harvesting information about the actions of users online.)

Many online services are free or practically so, a far cry from a movie ticket. Considering that, can these efforts generate enough heat to make Congress back down? Was this 11th hour outreach the plan all along, or is this a Hail Mary since the more old school lobbying tactics of the pro-SOPA crowd seem to be working?

I'd love to know how many thousands of Americans are clicking on the "Take Action Now!" button right now.

Written by Christopher Parente, High Tech Public Relations