.ORG, The Public Interest Registry (PIR) today announced plans to complete the final step to realizing full DNSSEC deployment in the .ORG registry by accepting second level signed .ORG zones beginning in June of 2010. This positions .ORG as the first generic top-level domain (TLD) to offer full DNSSEC deployment.

All registrars can now plan to offer an additional security service to their customers. The benefits of DNSSEC include the ability to thwart the increasing predominance of attacks like pharming, cache poisoning, and DNS redirection that have been used to commit fraud, distribute malware, and/or identity theft. DNSSEC, an upgrade to the internet infrastructure, protects Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.

"This announcement coupled with recent ones by Comcast, various ccTLDs and even ICANN, is an important signal not only for application providers, ISPs, and telcos, but also for registrars to begin planning for their implementation now, to address the need for enhanced security for their customers," said Alexa Raad, CEO of PIR. "Ensuring Internet security and stability are among our highest priorities and being the first to fully deploy DNSSEC positions .ORG registrants to be amongst the first to safeguard their users from escalating security threats, especially as Internet usage continues to grow exponentially."

Launching signed delegations, with the technical support of Afilias, is the final step in PIR's phased approach to fully deploying DNSSEC within the .ORG zone. A rigorous "friends and family" testing phase, started in June of 2008 has enabled PIR not only to thoroughly test and address operational and deployment issues related to zone management, key distribution and rollover, but also to assist registrars in the development and deployment of the service.

"We applaud PIR's leadership in the deployment of DNSSEC in the gTLD space," said Rod Beckstrom, President and Chief Executive Officer of ICANN. "Opening up general registration of signed zones in .ORG is a major step forward."

All interested registrars must pass a mandatory DNSSEC Certification Test. For more information regarding .ORG DNSSEC initiatives and information, please visit: www.pir.org/dnssec.

DNSSEC (DNS Security Extensions) adds a layer of security to the Domain Name System (DNS) that verifies identity and authenticity of domain names when being accessed by an Internet user. The adoption of this security measure helps prevent against the Internet's most dangerous types of DNS attacks, including phishing and cache poisoning that can be used to redirect websites and steal sensitive information.

Dyn Inc. previously announced in June of 2009 that it had become the first managed DNS provider to offer DNS Security Extensions (DNSSEC) to its clients on the Dynect Platform, the company's enterprise managed DNS offering. Now with nearly a year of operational DNSSEC experience, the Dynect Platform is offering DNSSEC standard with its service and making it simple for organizations such as the GLOBE Program to meet their DNSSEC mandate without additional cost or complication.

The GLOBE Program promotes and supports students, teachers and scientists to collaborate on inquiry-based investigations of the environment and the Earth system, working in close partnership with NASA and NSF Earth System Science Projects in study and research about the dynamics of Earth's environment. "We were required by NASA to migrate our .gov domain to use DNSSEC, and we were fortunate that Dynect had an option to assist us with this. The transition was smooth, the customer service was responsive, and the user interface made the rather complicated process quite simple," said Mark Sallee, Systems Administrator for the GLOBE Program. "I'm glad that the DNSSEC service worked as well as it did. I'm sure other .gov sites would benefit from partnership with the service provided on the Dynect Platform, since the alternative, manual setup is complicated and probably many systems administrators have not yet had much experience with key creation, signing, and rollover."

The GLOBE Program depends on their website as a means for members to share and access information, making the safety of users and the information shared of critical importance. "NASA and the GLOBE Program care that when a user accesses their website or logs in to their database, that they are getting an authentic website and safe space to share information," said Jeremy Hitchcock, CEO at Dyn Inc. "As early adopters and advocates of DNSSEC, our goal was to provide a simple solution and interface that allows users to enable DNSSEC by making just a few selections and clicks of the mouse."

As more domains become mandated to add DNSSEC, the Dynect Platform is proud to offer a comprehensive solution to any organization that may have been intimidated by the process. "For that large percentage of federal government agencies who missed the DNSSEC deadline this past December, we are here to help you implement," commented Kyle York, VP of Sales and Marketing at Dyn Inc. "Some common beliefs about DNSSEC are that it will increase DNS server load and that the overall process from acquiring to signing keys is quite complicated, but we have a network of overpowered DNS servers and a team of DNS experts that can walk you through the process and answer any questions to ensure this is a positive evolution for your overall site security efforts."

As reports of cyber crime continue to rise, the overall security of the Internet remains an important topic. Almost every business relies on its online presence to do business; if it gets compromised, so does the success of the business and the trust of its users. With DNS being a key component to the Internet's infrastructure, and DNSSEC being an added layer of security, Dyn Inc. and the Dynect Platform are happy to play a key role in making the Internet a safer place, one domain at a time.

Coverage of past ICANN meetings:
ICANN 36 in Seoul, South Korea
ICANN 35 in Sydney, Australia
ICANN 34 in Mexico City

Comments and questions?
Please post them below in the comment section of the page or send us an email.

* * *

Update / Local Time: Thu, Mar 11, 2010 at 9:35 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. sits down with Bart Boswinkle, Senior Policy Advisor for the Country Code Name Supporting Organization, at ICANN 37 in Nairobi, Kenya.

Update / Local Time: Thu, Mar 11, 2010 at 9:30 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. speaks with Zahid Jamil, a representative for business interests and other major topics, and a big player for ICANN, at ICANN 37 in Nairobi, Kenya.

Update / Local Time: Thu, Mar 11, 2010 at 7:50 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. talks about DNS Security (DNSSEC) with longtime Internet industry leader Steve Crocker, CEO of Shinkuro Inc., at ICANN 37 in Nairobi, Kenya. Updates on the root being signed or scheduled to be signed: .ORG to be signed in July, .COM next year, .NET end of 2010. ccTLDs's showing much activity across the board.

Update / Local Time: Thu, Mar 11, 2010 at 7:46 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. spends a few minutes with Ndeye Maimouna, Director of ITC in Senegal, about security around the location of this ICANN 37 meeting being in Nairobi, Kenya.

Update / Local Time: Thu, Mar 11, 2010 at 12:32 AM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. discusses a 2nd topic with Margie Milam about vertical integration and registry/registrar separation around distribution at ICANN 37 in Nairobi, Kenya.

Update / Local Time: Thu, Mar 11, 2010 at 12:31 AM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. speaks with ICANN Policy Director, Marika Konings, about registration abuse at ICANN 37 in Nairobi, Kenya.

Update / Local Time: Wed, Mar 10, 2010 at 10:30 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. meets with Stephane Van Gelder, General Manager of Indom.com at ICANN 37 in Nairobi, Kenya.

Update / Local Time: Wed, Mar 10, 2010 at 10:07 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. meets with Margie Milam, ICANN Senior Policy Counselor, at ICANN 37 in Nairobi, Kenya. The main topic for this video is Specific Trademark Issues (STI).

Update / Local Time: Tue, Mar 9, 2010 at 10:38 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. speaks with ICANN CEO, Rod Beckstrom, at ICANN 37 in Nairobi, Kenya. Big stories coming out of Kenya include further networking out of Africa, EOI board vote and progress areas for new gTLDs.

Update / Local Time: Tue, Mar 9, 2010 at 9:10 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. has a discussion with Liz Gasster, ICANN Senior Policy Counselor, at ICANN 37 in Nairobi, Kenya. WHOIS is the main topic.

Update / Local Time: Tue, Mar 9, 2010 at 7:50 PM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. chats with Avri Doria, Chair, Executive Committee of the ICANN Non-Commercial Stakeholders Group, at ICANN 37 in Nairobi, Kenya. Expressions of interest in new gTLD is the main topic.

Update / Local Time: Tue, Mar 9, 2010 at 10:24 AM — Gray Chynoweth, GC, VP Business Operations for Dyn Inc. discusses the .XXX TLD with Stuart Lawley, Chairman & President of the ICM Registry at ICANN 37 in Nairobi, Kenya.

Update / Local Time: Wed, Mar 3, 2010 at 11:23 PM — Gray Chynoweth, General Counsel & VP, HR at Dyn Inc. discusses the upcoming ICANN 37 meeting in Nairobi, Kenya. Gray introduces the video blog series, done in conjunction with CircleID for the 4th time. Gray also outlines the topics for this event including security and remote access, new TLD's, the .xxx gTLD, DNSSEC rollout, root scaling, WHOIS study and more.

If you're not making the trip out to Africa, stay tuned and watch all of the footage from ICANN 37 in Nairobi, Kenya following Gray's hike of Mount Kilimanjaro in Tanzania with other Internet professionals (http://kili2010.com).

Brought to you in partnership with Dyn Inc. Please add your feedback and suggestions using the comment form provided on this page or contact us directly.

Aside from its lack of adoption, DNSSEC isn't even a very satisfactory solution. It adds tremendous complexity to an already fragile protocol, significantly increases DNS traffic in size, encourages questionable security practices, and hamstrings many modern uses of DNS.

Details

• Complexity: DNSSEC has many options for enabling/disabling DNSSEC validation, with conflicting interpretations of how to handle different bits; considering people still disagree about how to handle features of DNS that have been present since its inception, I foresee these won't be resolved anytime soon.
• DNS traffic: Responses right now are usually limited to 512 bytes, sometimes a little more. DNSSEC enabled responses regularly exceed 1500 bytes, requiring IP fragmentation or fallback to TCP. IP fragmentation frequently fails with misconfigured firewalls and using TCP is much slower than the default UDP transport.
• Questionable security practices: Most users are encouraged to use 512-bit or 1024-bit RSA keys. A group of hobbyists recently worked together to break all of the 512-bit keys used by Texas Instruments for signing their calculator firmware and they did so quickly and easily. The RSA company and NIST have been recommending users switch to 2048-bit keys since 2003 and 2007, respectively. Again, unfortunately, the DNSSEC standards developers are hesitant because bigger crypto is slower, and it will further push the traffic size issue.
• Hamstrings modern uses: High traffic DNS servers can't handle signing every response packet, so they need to pre-compute signatures. This limits how companies like Akamai and Google or projects like the NTP Pool can use DNS for global load balancing and routing users to their nearest servers. It also fundamentally hampers services like OpenDNS, which use DNS to provide content filtering and search services.
• Efficiency: RSA is a very slow crypto standard; its only benefit is that everyone knows about it. DNSSEC can theoretically support other crypto standards, but the IETF has largely ignored efforts from interested parties to add support for faster and stronger algorithms.

So while debate about DNSSEC wears on, OpenDNS has fully adopted another proposed DNS security solution: DNSCurve.

DNSCurve is a recent DNS extension proposal that is fully backwards compatible with the existing DNS protocol, uses much stronger cryptography than DNSSEC, and most importantly, is much simpler and much easier to implement and manage. The most significant technical distinction is that DNSSEC uses large and slow per-recordset signatures while DNSCurve uses small and fast per-packet encryption and authentication.

OpenDNS's DNS resolvers already fully support DNSCurve today and use it whenever possible. Of course, authoritative servers need to be upgraded to support DNSCurve as well, but it's our hope that this announcement will help to get the ball rolling on DNSCurve adoption. If you're an authoritative DNS provider and are interested in deploying DNSCurve, we're interested in hearing from you.

(This article was originally posted to the OpenDNS blog.)

Written by Matthew Dempsky

The problem is shown to be an outcome of the interaction of the distribution of key material and the regular rollover of the key signing key that forms the trust anchor for the signed zone. When these resolver implementations fall out of sync with the zone's keys then they do not quietly fail, but instead they enter a period of sustained query thrashing, asking the same query from all the name servers of a zone with up to a thousand repetitions from each single initial seed query.

The signing of the root of the DNS and a hierarchical signing delegation from the root downward was intended to circumvent such problems of manual key management and synchronisation, because as long as the client was able to synchronise their key with the root key then there is no such problem of falling out of sync with individual zone keys. However there is a vulnerable period over the next six months when the DNSSEC-signed root is deployed with a deliberately unvalidatable root zone, or DURZ. Clients are meant to avoid loading a local key for the root during this period, as there is no valid public key. But our studies have shown that if a client does mistakenly load a key then the resultant query load of rapid-fire repeated DNSSEC queries and large DNSKEY responses may present traffic problems for both the client and the root servers themselves.

Further on, in mid-2010, the root will be signed with a key that can be validated. The current intent is to regularly roll this root zone key every 2 - 5 years. Our studies show that if clients continue to operate on a manner which does not fail quietly, but fails in a way that generates very high bursts of DNS queries, with repetition factors in the order of up to 300,000 repetitions per seed query in a typical case, then each root zone key rollover has the potential to pose a significant denial of service threat on the root of the DNS posed by such out-of-key-sync clients running the current code levels of DNS resolvers.

The full details of the study can be found at http://www.potaroo.net/ispcol/2010-02/rollover.html

About the Authors:

George Michaelson is a Research Scientist at APNIC, the Regional Internet Registry serving the Asia Pacific Region.

Patrik Wallström has been working on DNSSEC and the development of the registry system at .SE for seven years, and with computer security and open source for over 15 years.

Roy Arends is Senior Researcher at Nominet UK, the Internet Registry for .uk domain names.

Geoff Huston the Chief Scientist at APNIC, the Regional Internet Registry serving the Asia Pacific region.

Written by George Michaelson, Senior Research and Development Scientist at APNIC

No one can have failed to notice that the last IPv4 address will soon be allocated. We have lived with a shortage of addresses for 15 years, but when the last address is allocated, the shortage will become acute, instead of just a pain, as it is today. There is much to read on http://www.ipv6forum.se and http://www.ipv6actnow.org/.

In The Hitchhiker's Guide to the Galaxy, Douglas Adams describes the least expensive and most effective method for making something invisible. You simply decide that it is Someone Else's Problem or SEP, if you abbreviate. This is an approach that is frighteningly similar to the Swedish public sector's view of the address shortage on the Internet. "It is not our problem—if we ignore it, it will probably go away."

The only reasonable solution for the long term is currently called IPv6, a technology that has been available for many years but which few have begun to use. We wondered a bit about how well the Swedish public sector is prepared for IPv6. We talked to a person who works with IT procurement, who said that he was not aware of a single procurement in recent years that required support for IPv6. One can wonder why this is so. One explanation is that the Legal, Financial and Administrative Services Agency, which currently handles procurement for the public sector, has not completed its procurement requirements, since the E-Delegation's study "Strategy for the authorities' work with e-administration" (SOU 2009:86) is still being circulated for comment. Hopefully, but far from certainly, this study will clearly indicate the need for IPv6 and other technologies as a basic requirement to ensure a stable and accessible Internet also in the future!

We have several proposals for the Swedish public sector that we hope they will adopt - not to be caught unprepared the day the Internet as we know it changes drastically.

Demand IPv6 from your Internet supplier

According to a study in October 2009, only 15 percent of Sweden's Internet suppliers are able to provide IPv6 (source). Those who cannot do so should be disqualified in an automated procurement, and as customers, you must put pressure on them by demanding that they activate IPv6 directly at installation. Do not let them get away with vague promises of "in the autumn!" If they cannot support IPv6 now, they have no place in the market.

There are also suppliers that state that they are able to support IPv6, but a critical examination reveals that it is not as easy as they promise! So demand references for the same connection type and geographic area before signing any contracts. A good example is Telia, which needed about four months from order to delivery of IPv6. And they are not even able to deliver native IPv6, but only tunnels.

Make sure that all equipment and system software supports IPv6.

Examples of external systems that must support IPv6:

• Firewalls – Many leading suppliers of firewalls have support for IPv6. If you are bound by long contracts for firewalls that only support IPv4, purchase an additional firewall. Place it in parallell to the old one and run all IPv6 in it. You will not need the same extensive set of rules or performance in a separate firewall, if it only runs IPv6! For SEK 10,000, you will have a firewall to start with and learn from.
• Web servers – Most systems in the market are IPv6 compatible. The web is ideal as a first service! Google has been testing IPv6 for a number of years by making its ordinary search service available over IPv6, although at another address: http://ipv6.google.com. A company can do the same. This has minimal impact on the existing operating environment, yet provides an opportunity to test and learn the new protocol.
• E-mail systems – Many companies today perform some form of filtering of e-mail for spam and virus before allowing it to enter internal systems. Demand that all e-mail servers that receive your e-mail from others must also accept IPv6 for incoming and outgoing e-mail.
• Operating systems – Believe it or not, but Microsoft is a shining star with respect to support for IPv6 and is clearly ahead of the open-source operating systems based on Linux and BSD. Above all, Windows Vista and Windows 7 are excellent examples of systems with full IPv6 support, but even the older Windows XP handles IPv6 relatively well! It may be a good idea for the IT department to begin testing and using IPv6 so that they gain experience prior to a broader roll-out.
• DNS – To be able to show the rest of the Internet that your services can be accessed via IPv6, your DNS must naturally identify the services that have IPv6 addresses. However, the DNS servers themselves should also be accessible via IPv6. If you have DNS servers with your ISP or elsewhere, check with them if they are ready, and if not, consider using another supplier that is!

Start training

Only short training is required to start IPv6, in our opinion. If you know IPv4, it is easy to get started with IPv6! And getting started will build experience—that is something you can not get from classes! A good idea is to gather personnel from several municipalities or the public authorities with which you work and bring in an experienced technician to hold practical workshops to warm you up before investing major sums in training. Training always works best if you have some prior knowledge!

Other infrastructure that needs attention

DNSSEC – We naturally focus on IPv6, since that is one of our main interests. However, there are several extremely important areas where the public sector could take the lead. One of them is a more secure infrastructure for DNS, which is commonly known as DNSSEC. A few years ago, a researcher showed how easy it is to redirect a user wishing to access a given website or e-mail server to another malicious one. Today, upgrades have made this a little more difficult, but it is still possible. DNSSEC with DNS operators, companies and ISPs, this loophole would be closed. Once again, the standard has been in place for some time, but introduction has been slow.

E-identification – Important decisions also remain to be taken regarding e-identification. The model that has been in use in Sweden for a number of years suffers from several deficiencies. It is important to place requirements on the system so that it,

• is based on open standards,
• provides full protection for personal integrity,
• is technology-neutral and
• is available to all players in all parts of society.

The roles of registrars and issuers of identification should also be made clear and separated. Today's system also suffers from the fact that only private persons can identify themselves. Companies, authorities and associations should naturally also be able to identify themselves! In this context, it is important that the government opens its databases in a manner that not only creates opportunities, but also protects integrity.

Am I already running IPv6?

Modern operating systems have IPv6 activated by default. This means that you may already be running IPv6 via an automatic tunnel service without knowing it! Test towards http://test.ipv6.tk and you will see if you are running IPv6 or not! The results may vary with the same computer if you are at work or at home, depending on firewalls and other equipment.

Conclusion?

The pages http://www.kommunermedipv6.se and http://www.myndighetermedipv6.se show that very little is happening, unfortunately. There must be a demand from above for the public sector to prioritize this in its IT operations. At the same time, this is not a monumental task! It is a matter of working days per agency, not several man years.

Written by Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

The added security for internet users allows for a more secure internet, especially important for banks and other financial services providers, for example.

At the Domain Pulse conference, Urs Eppenberger of SWITCH and Marc Furrer of the Swiss Federal Communications Commission (ComCom) enabled DNSSEC.

Furrer said he was very pleased with the efforts of SWITCH to be playing a leading role in the implementation of more secure internet communications and commerce.

"I am particularly proud of the fact that Switzerland is one of the first countries in Europe to introduce DNSSEC. This now guarantees security in the internet" said a delighted Marc Furrer, President of ComCom, in a statement.

Meanwhile DENIC is on schedule to prepare a test bed for registrars and this phase will run until 2011, said Sabine Dolderer, the company's CEO.

However nic.at will not be introducing DNSSEC in 2010, said Richard Wein, CEO of nic.at. Wein believes there is not yet the demand or the market for it in Austria (.AT) at the moment, but like DENIC, nic.at will be watching developments closely in the .CH ccTLD closely. Nic.at will be preparing for DNSSEC internally to have it ready for deployment when there is a demand.

Nic.at is also preparing an innovative business model to allow internet companies from registries, and in particular those planning to apply for new generic Top Level Domains (gTLDs), registrars, banks and others demanding a high level of security, to use their infrastructure. It is planned to have this finalised in the summer of 2010.

Among other presentations included Steve Gobin from ICANN who spoke of the new Registrar Accreditation Agreement while Simon Kopp of Kantonspolizei Luzern spoke about Fit4Chat website, an initiative of the Luzern canton's police department to help parents and children deal with unwanted contact from strangers, and in particular older adults, online.

There was also a presentation on internationalised domain names (IDNs) from Leonid Todorov from the Coordination Centre for TLD RU who explained the difficulties for Russian users in having to use only Latin characters for domain names. With a very small number of English speakers, especially in the more remote regions, and no adequate Latin/Cyrllic script translation, particularly relating to international trademarks, the introduction of IDNs will be of huge benefit to internet users in the country.

The 2011 Domain Pulse conference will be held in Vienna, Austria, from 17 to 18 February which will more or less coincide with the predicted one millionth .AT domain registration milestone.

Videos and slides of all presentations, mostly in German, are available on the Domain Pulse website at Domain Pulse conference website although without simultaneous translations as occurred during the meeting.

Written by David Goldstein, Consultant, researcher and analyst

ICANN plan to have all root servers signed with DNSSEC by mid-2010 Kim Davies, Manager, Root Zone Services at ICANN told the meeting, starting with the L root server, then A root server with the last being the J root server as all are gradually signed.

ICANN has taken a conservative approach to deploying DNSSEC to ensure there are no mistakes in its implementation, said Davies.

Meanwhile a discussion on the registration of domain names that are responsible for illegal content, such as phishing or child pornography, was hotly discussed.

A discussion with lawyers from Germany, Austria and Switzerland said in varying degrees that when it is difficult to contact the domain registrant, that using the registrar as a means of deleting the domain name was justified.

All three lawyers, Clara-Ann Gordon (Switzerland), Dr. Boris Uphoff (Germany) and Michael Pilz (Austria) said that when it is difficult to contact the domain registrant, that using the registrar as a means of deleting the domain name.

Difficulties can often occur in the event of such a domain name registration when the registrant includes false registration information.

The registries, represented by their legal counsel Stephan Welzel (DENIC), Barbara Schlossbauer (nic.at) and Nicole Beranek Zanon (SWITCH) took this discussion further and explained what happens when there are difficulties in contacting registrants such as when there is illegal use of the domain name, such as illegal content.

In the case of phishing, in Austria if the registry is certain the content is legal the domain name is deleted, in Germany the domain name is not deleted as they believe the domain name is not the problem but the content is while in Switzerland they temporarily block the domain until the legal situation is sorted out.

Videos of all presentations, mostly in German, are available on the Domain Pulse website at domainpulse.ch although without simultaneous translations as occurred during the meeting.

Update Feb.02.2010: A paragraph removed due to possible inaccuracy.

Written by David Goldstein, Consultant, researcher and analyst

As we head into 2010, it's no secret that the issues of security and the prevention of internet identity theft in all its forms are of critical importance. That's why .ORG, the Public Interest Registry, was honored to host the First .ORG Forum in Washington, D.C.

.ORG CEO Alexa Raad, Rod Beckstrom (CEO and President of ICANN), Stewart Baker (Partner at the law firm of Steptoe & Johnson), Michael Nelson (visiting Professor of Internet Studies at Georgetown University), Douglas Maughan (Program Manager at the Department of Homeland Security) debated the future of ICANN, grappling a series of burning questions like: What roles should ICANN, government and private industry play to ensure that new TLD remain safe and secure? How should they interact or collaborate to solve some of the major security threats prior to releasing new TLD? In the continuum between regulatory policies and technical oversight, where do you think ICANN should focus on as a priority to increase internet security?

Interested in hearing their thoughts and comments first-hand? Good news! You can watch the roundtable discussion by clicking here. The recorded session is broken into four parts, click on the play button to see the introduction (Part 1) below. Comments, thoughts and, of course, ideas for future Forums are welcome.

We thank all of you who were able to join us in-person and online for yesterday's inaugural event. Most importantly, our deepest appreciation goes out to Rod, Stewart, Michael and Douglas for lending their unparalleled insight and helping make our first annual Forum an overwhelming success.

Stay tuned for details on our next Forum!

The reason I bring this up again is that more and more Top Level Domains (TLDs) now enable DNSSEC and also the fact that within six months the root will be signed. Since my initial post, Microsoft have updated their guide on how to activate the signing and validation of DNSSEC.

The document, "DNS_SVR2008R2_DNSSEC.doc", has now expanded from 30 pages to 80 pages—but this newer, more comprehensive version, hasn't made it any easier to configure their product, as you all can imagine. With this said, it is important to point out that there are other systems out on the market that handle DNSSEC in a good and user friendly way—and I really think Microsoft should be amongst them!

My view on requirements for the use of Microsoft's DNS with DNSSEC:

A functional GUI!

Today Microsoft uses only a command-line based system were the commands in turn uses many complex parameters. A Windows administrator in general is most familiar with things like "right click-> Properties-> sign domain" or "right click-> Properties-> DNSSEC settings". If we compare the handling in Windows with the most common used open source products, the latter is much easier to use.

Distribution of Trust Anchors!

I strongly suggest that Microsoft uses Windows Update for the handling of Trust Anchor, since the interface in the DNS-manager is nothing short of horrible.

There are some third party products on the market that solve some of the problems with the distribution of Trust Anchors and GUI, but how many users understand or accept that they must invest in, and use, a third party solution?

Support for NSEC3!

There is only support for NSEC and no support for signing and validating NSEC3 in Microsoft's products. Almost all new TLD's uses NSEC3 and with Microsoft's DNS we cannot validate these TLD's . How will Microsoft act here? On page 60 in "DNS_SVR2008R2_DNSSEC.doc" they state what can and cannot be done with NSEC3. Therefore it seems that they have support for NSEC3—but the simple fact is that they have not!

In one of the responses to my earlier questions Microsoft said that the NSEC3 standard was completed too late in order to be implemented in Server 2008 R2. This gives an indication of the sometimes superior speed that open source programs offer. Many of the DNS appliances use BIND/NSD/Unbound and can therefore easily implement NSEC3 since these platforms have had that support for a long time.

But a solution might be on its way. I have, from an undisclosed sources, heard rumors that Microsoft will support RSA/SHA256 in an upcoming service pack/update/version and if so they will be able to support NSEC3 at the same time!

Workarounds for validation!

Microsoft has, from a simplified point of view, two server platforms, Windows Server 2008 and Small Business Server 2008. The DNS servers in both platforms uses default root hints and a DNS-forwarder towards a DNS of your choice via configuration and can therefore easily obtain validation via DNSSEC.

For example: Microsoft DNS—> validating DNS—-> Internet

The validating DNS can be an internal DNS or your ISP's DNS. You can easily test if a DNS validate DNSSEC by check the status at test.ipv6.tk. Remember that you have to change your computers DNS to the DNS you want to test.

Signing dynamic zones!

If Microsoft reworks and updates their DNSSEC implementation according to my ideas, it is also possible that they will not only support the signing of static offline zones. They should also support the signing of dynamic zones. That is for example handle zones generated on AD-data and dynamic addresses. This should be most welcomed but I also believe that the internal zones inside the domain needs to be secured towards the internal clients!

Future Internet

There are two things on the Internet today which I think are most important to the continued development of a secure, stable and scalable Internet; One is DNSSEC, where Microsoft today (unfortunately) simply can't match my expectations and need and competition from other products. The second is IPv6, where Microsoft on the other hand offers the, by far, best support for IPv6 in all available operating systems!

My thoughts can be summarized in one question: -Will Microsoft settle for only half of the solution?

Written by Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Read full story: External Source

Kim Davies, ICANN's Manager of Root Zone Services, says: "What happened today was the deliberately un-validatable root zone started being published on l.root-servers.net. It is anticipated this will be rolled out across the other root servers over the coming months. This phase is designed to identify any issues with the larger DNS response sizes associated with DNSSEC data."

For up to date status of the root signing deployment project, see http://www.root-dnssec.org/.

Other sources: (UPDATED Jan 27, 2010 6:17 PM PST)
Official Announcement from ICANN Jan.27.2010
L-Root now serving "DURZ" signed responses DNS-OARC, Jan.27.2010

Jennifer Pigg, vice president, Enabling Technologies at Yankee Group says: "Earlier major architecture changes were implemented when the Internet was an experimental network with little or no relevance to most people. Today, the majority of global business networks are entirely reliant on Internet availability, stability and integrity. With the introduction of DNSSEC, IPv4 exhaustion and IPv6 deployment, these networks are facing a perfect storm: multiple, simultaneous, large-scale changes."

Related Links: Related Press Release / Full Report

Top 10 Featured Blogs in 2009:

1. Yahoo, Gmail, Hotmail Compromised - But How?
   by Terry Zink - Oct 08, 2009
2. A Closer Look at Iran's State of Internet, Strange Transit Changes in Wake of Controversial Election
   by Jim Cowie - Jun 14, 2009
3. WiMAX vs. LTE
   by Paul Budde - Mar 10, 2009
4. China's "Green Dam Youth Escort" Software
   by Rebecca MacKinnon - Jun 08, 2009
5. Verizon Mandates IPv6 Support for Next-Gen Cell Phones
   by Derek Morr - Jun 09, 2009
6. Cloud Computing Types: Public Cloud, Hybrid Cloud, Private Cloud
   by Sam Johnston - Mar 06, 2009
7. Can't Connect… Won't Connect
   by Bill Thompson - May 13, 2009
8. The Cybersecurity Act of 2009
   by Steven Bellovin - Apr 13, 2009
9. Google AdSense Asks Publishers to Change Their Websites' Privacy Policy
   by Dhaval Doshi - Mar 13, 2009
10. YouTube's Fine - Analysts Don't Understand Internet Peering
    by Brough Turner - Apr 16, 2009

Top 10 News in 2009:

1. Network Solutions Under Large Scale DDoS Attack, Millions of Websites Potentially Unreachable
   Jan 23, 2009
2. U.S. General Reserves Right to Use Physical Force, Even Nuclear, in Response to Cyberattack
   May 13, 2009
3. Google Cloud Storage Coming Within Weeks
   May 20, 2009
4. Finland First Country to Make Broadband a Legal Right
   Oct 14, 2009
5. SPECIAL: Updates from the ICANN Meetings in Sydney
   Jun 26, 2009
6. Google Rolling Out Its Services Over IPv6
   Jan 08, 2009
7. ICANN's President and CEO Announces Resignation
   Mar 02, 2009
8. Iran's Internet Censorship Most Sophisticated in the World
   Jun 19, 2009
9. Comcast Unleashes Trial DNS Redirection in Select States
   Jul 09, 2009
10. Latest Cybersquatting Stats from WIPO
    Mar 16, 2009

Top 10 Industry News in 2009 by sponsored posts*:

1. Facebook Selects MarkMonitor Antifraud Solutions to Combat Malware
   by MarkMonitor - Apr 30, 2009
2. .ORG First Open Top-Level Domain to be Signed with DNSSEC
   by PIR - Jun 02, 2009
3. Perspectives from a Nonprofit Domain Name Registry on Navigating the Social Media Frontier
   by PIR - Apr 24, 2009
4. Expanding Internet Access Driving Software Piracy, Study Says
   by MarkMonitor - May 22, 2009
5. A Seemingly Overwhelming Number of Important Documents Released by ICANN
   by MarkMonitor - Jun 02, 2009
6. MarkMonitor AntiFraud Solutions Combine Proven Antiphishing and Expert Antimalware Capabalities
   by MarkMonitor - Mar 23, 2009
7. DNSstuff.com Offers Trusteer Rapport Product to Help Users Boost Their Defenses Against Online Fraud
   by DNSstuff - Mar 23, 2009
8. dotMobi Names AutoTrader.mobi as Millionth Site Tested by Acclaimed mobiReady Tool
   by dotMobi - May 20, 2009
9. IP Rights in Digital Environment Key Element of Proposed Treaty
   by MarkMonitor - Apr 15, 2009
10. COCC Partners with MarkMonitor for Anti-Phishing Services
    by MarkMonitor - Mar 18, 2009

* Featured news updates from CircleID's industry participants by more information here - see 'Dedicated Marketing Channel' section

Written by CircleID Reporter