Tag Archives: DNSSEC

.VN Sees Domain Registration Growth of 8.3% in 2018 On Back Of New Online Registration System


IPv6 penetration grew by a quarter (25.85%) in 2018 to take Viet Nam’s ccTLD to 13th place globally for IPv6 adoption while domain names under management reached 465,890, an increase of 8.3% compared to the end of 2017. Since 2011, .vn has been one of top 10 ccTLDs for growth in the Asia Pacific.

The growth in registrations in 2018 came on the back of a new registration procedure and management system for .vn that came into effect in September 2018. The simplified registration process means it’s much easier for to register domain names in Viet Nam’s country code top level domain but still comply with Vietnamese regulations and laws.

The growth in IPv6 deployment of 25.85% means there are now more than 14 million IPv6 users including 6.5 million of FTTH subscribers and 3.1 million of mobile users. Viet Nam was ranked the second place in ASEAN, the 6th place in Asia Pacific and 13th place globally for the highest IPv6 adoption rate.

2018 also saw VNNIC, the .vn ccTLD registry, continuously improve the stable connection, security and safety for the national DNS .VN system and other critical information infrastructures operated by VNNIC. DNSSEC was extended to all national DNS servers and the national .vn DNS system is connected with DNS ROOT and international DNS systems.

By the end of 2018, the Viet Nam National Internet eXchange (VNIX) system had 20 members peering over exchange points in Ha Noi city, Da Nang city and Ho Chi Minh city with the total connection bandwidth reaching 269 Gbps. 13 of VNIX members deployed dual-stack network. Among them, CMCTI, VNPTNET and Viettel are 3 ISPs having the highest amount of traffic over VNIX which are 51GB, 50GB and 42GB respectively which increased by about 34% compared to their traffic over VNIX in 2017.

On 7 August, VNNIC maintained and extended the validity of the ISO/IEC 27001:2013 certification standard within the scope of operation and management of essential network systems in Viet Nam including the national DNS .VN system, the Internet eXchange system and Internet data centers (IDCs) in Ha Noi city, Da Nang city and Ho Chi Minh city.

In 2019, VNNIC plans include accomplish the Viet Nam National IPv6 Action Plan, continuously promote the use of internet resources in Viet Nam, and strengthen the security of critical information infrastructures including the national DNS .vn and VNIX system, improve the effectiveness of internet resources management policy and develop regulations for the auction of one and two-character .vn domain names and to innovate VNIX operating system following international standards.

.DE Reaches 100,000 DNSSEC Domain Names

It’s taken over 6 years, but the 100,000th .de domain name to be signed with DNSSEC was reached last week according to a statement from DENIC.

DENIC has been supporting the Domain Name System Security Extensions (DNSSEC) since 2011. For the first 4 years DNSSEC-signed .de domain names grew slowly, and then around May 2015 there was a sharp rise which has been followed by a steady increase to today’s 100,000. Even though less than 1% of the 16.2 million domain names for Germany’s country code top level domain (ccTLD) are digitally signed, the ongoing growth shows a growing interest in a secure Internet, to which DENIC is constantly committed.

DNSSEC is a security measure that ensures the authenticity and integrity of data in the DNS (Domain Name System). In particular, the security extension serves to protect the content data against modification on the transmission path.

A central component of this security mechanism is the so-called “trust anchor” of the DNS. This anchor that applies for the global DNS and falls within the responsibility of ICANN will be replaced with a new one for the first time on 11 October 2018.

ICANN: Request for Proposal: DNSSEC KSK Management Tools

ICANN is soliciting proposals to identify a provider that will develop and maintain software for its affiliate Public Technical Identifiers (PTI) that will replace the existing Domain Name System Security Extensions (DNSSEC) Key Signing Key (KSK) Management Tools. These tools comprise a critical component of the delivery of the IANA functions by PTI. The selected provider, in coordination with PTI, will be responsible for all aspects of development and implementation including design, programming, testing and configuration.

All deliverables must be created under formal guidelines with comprehensive documentation. The software will be published under an open source license and must incorporate industry best practices with documented test cases that will be shared with the Internet community.

The DNSSEC KSK Management Tools are a set of software utilities to manage the KSK life cycle, including processing Key Signing Requests (KSRs) and generating Signed Key Responses (SKRs), as part of executing the Root Zone KSK ceremonies.

PTI seeks a well-qualified provider to develop and maintain this new software based on provided requirements, to provide ongoing maintenance and to develop potential future enhancements. This software will help improve the efficiency and resiliency of management of the Root Zone KSK, which can also be leveraged by other DNSSEC practitioners in their operations.

For an overview of the RFP including the timeline, please click here [PDF, 182 KB]

Indications of interest should be emailed to DNSSEC.KSK.Management.Tools-RFP@icann.org. Proposals should be electronically submitted by 23:59 UTC on 10 October 2018 using ICANN‘s sourcing tool. Access to the ICANN org sourcing tool may be requested via the same email above.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-09-12-en

Annual IANA Functions, DNSSEC Audits Validate ICANN Systems Controls

ICANN logoICANN has completed audits of the IANA registry management systems and the Domain Name System Security Extensions (DNSSEC) services it provides. International accounting firm PricewaterhouseCoopers conducted the audits for the period of 1 December 2015 through 30 September 2016.

For the fourth consecutive year, a Service Organization Control (SOC) 2 audit of the IANA registry maintenance systems shows that ICANN has the appropriate controls in place to ensure the security, availability and processing integrity of IANA functions transactions.

For the seventh consecutive year, ICANN has achieved SOC 3 certification for its management of the DNSSEC root key signing key, which is the trust anchor of the domain name system. SOC 3 certification demonstrates that ICANN‘s root key signing key processes contain appropriate security measures, and that these processes have been executed as planned. The certificate is publicly available at http://iana.org/audits.

During the period, ICANN upgraded the physical security systems of the Key Management Facilities. “Physical security is an important line of defense to protect the root key signing key,” said Elise Gerich, ICANN‘s Vice President of IANA and Technical Operations. “The upgrade helped us stay SOC compliant and promotes the prevention and detection of unauthorized access.” Gerich also serves as President of Public Technical Identifiers, an affiliate of ICANN.

SOC audits evaluate an organization’s controls in relation to “trust services principles and criteria” managed by the American Institute of Certified Public Accountants.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation and a community with participants from all over the world. ICANN and its community help keep the Internet secure, stable and interoperable. It also promotes competition and develops policy for the top-level of the Internet’s naming system and facilitates the use of other unique Internet identifiers. For more information please visit: www.icann.org.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2017-03-02-en

Dutch Banks And ISPs Lag When Protecting Their .NL Domains With DNSSEC, But Government Makes Great Progress

SIDN-logoThe number of .nl (Netherlands) domain names protected by DNSSEC is approaching half (46%) of all registrations, but there are two sectors in particular that are lagging according to a recent support from the .NL registry SIDN. The banking sector with only 6% and ISPs with 22% of registrations are lagging behind other sectors when it comes to protecting domain names with DNSSEC.

A previous inventory in 2014 found that financial service providers, listed companies, government organisations and internet service providers were lagging a long way behind other sectors. Since then, the number of signed domain names in all the underperforming sectors has risen, but most remain disappointing compared with the pace-setters. Government organisations form an exception, however: they are doing much better than three years ago, rising from 11% of government websites being secured to 59% today, putting the government third in the sector league table.

Over the last two years, various new safety applications have been rolled out, which piggy-back on the DNSSEC infrastructure. As a result, DNSSEC has gone from being a technology-driven expense to being an enabler for key security applications designed to tackle phishing, spamming, spoofing and other email abuses.

In addition, the obstacles in the way of secure domain name transfers have recently been resolved. SIDN has developed a method that enables registrars all over the world to transfer domain names securely, by following a uniform procedure based on EPP (the Extensible Provisioning Protocol). Last week, the new method was formally adopted as a global standard by the Internet Engineering Task Force (IETF).

“Against that backdrop, it’s hard to think of any good reason for not implementing DNSSEC protection,” continues Meijer. “We believe that it’s now up to the big internet service providers to act. It’s really important that they get behind DNSSEC, because the protocol is only effective if ISPs commit to validating domain names’ digital signatures. Late last year, XS4ALL took the plunge and became the first national internet service provider to enable DNSSEC validation.”

For the DNSSEC Inventory 2017, SIDN analysed more than seven thousand domain names in four general sectors: financial services, the public sector, internet and telecom service providers, and listed companies. The analysis made use of the DNSSEC Portfolio Checker developed by SIDN labs.

DNSSEC involves the cryptographic protection of domain name information. It makes the internet’s ‘signpost system’ more secure and more reliable. If a domain name is secured with DNSSEC, people who want to visit the associated website are protected against being misdirected to a fraudster’s IP address. Without DNSSEC, there’s a risk that, despite entering the right domain name, people will end up on a fake site set up to trick them. DNSSEC also forms the basis for new applications, such as systems for making e-mail safer and easily sharing cryptographic keys for securing internet communications.

SGNIC introduces DNSSEC capability for .SG domain names

Singapore Network Information Centre SGNIC logo[news release] The Singapore Network Information Centre (SGNIC) has introduced the Domain Name System Security Extension (DNSSEC) as an optional, opt-in feature for .SG domain names. SGNIC encourages all .SG domain name registrants to enable the feature.

DNSSEC is a security feature which uses digital signatures to protect domain names from Domain Name System (DNS) spoofing attacks – i.e. attacks that redirect an Internet end-user to malicious sites rather than the intended site. It mitigates such spoofing attacks and complements other security protection mechanisms such as Secure Sockets Layer (SSL) certificates and two-factor authentications.

The DNSSEC security feature must be enabled by both .SG domain name owners and Internet Service Providers (ISPs) on their respective ends for it to work. To do so, .SG domain name owners must instruct their DNS hosting provider and domain name registrar to activate it. ISPs must also activate DNSSEC-recognition for their end-users. End-users will enjoy the same user experience, while having seamless protection.

“The Domain Name System is like the ‘phone book’ of the Internet, translating domain names to the right IP addresses of a website. DNSSEC protects the integrity of the information stored in the DNS and protect the owner of a domain name against spoofing of IP addresses. With the deployment of DNSSEC in the .SG zone, registrants who wish to provide their website visitors an additional layer of assurance can enable it on their respective .SG domain names. We encourage registrants to opt-in for DNSSEC to further secure their websites.” said Mr. Queh Ser Pheng, General Manager of SGNIC.

For more information on DNSSEC, please refer to the following link:
https://www.sgnic.sg/dnssec-faq.html

Neustar Finds DNSSEC Reflection Severe DDoS Risk

Neustar logoNeustar recently published research that detailed how Domain Name System Security Extensions (DNSSEC) can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks.

In the research, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us”, Neustar found that on average, DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly 30 times, which can easily cause a network service outage during a DDoS attack, resulting in lost revenue and data breaches.

“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”

DNSSEC was designed to provide integrity and authentication to DNS, which it accomplishes with complex digital signatures and key exchanges. As a result, when a DNS record is transferred to DNSSEC, an extraordinary amount of additional information is created. Additionally, when issuing the DNS command, “ANY,” the amplified response from DNSSEC is exponentially larger than a normal DNS reply.

Key findings and recommendations from the research included:

  • DNSSEC Vulnerabilities Are Prolific – Neustar examined one industry with 1,349 domains and determined 1,084 of them (80 percent) could be maliciously repurposed as a DDoS attack amplifier (they were signed with DNSSEC and responded to the “ANY” command).
  • The Average DNSSEC Amplification Factor is 28.9 – Neustar tested DNSSEC vulnerabilities with an 80-byte query, which returned an average response of 2,313-bytes. The largest amplification response was 17,377-bytes, 217 times greater than the 80-byte query.
  • The Anatomy of a DNSSEC Reflection Attack – Neustar illustrates the command and control servers required to run the botnets and scripts that target DNS nameservers to execute DNSSEC amplification attacks.
  • Best Practices for Mitigation –For organizations that rely on DNSSEC, Neustar recommends ensuring that your DNS provider does not respond to “ANY” queries or has a mechanism in place to identify and prevent misuse.

“Neustar is focused on using connected sciences to connect people, places and things, which is why network security is so imperative,” said Loveless. “As more organizations adopt DNSSEC, it is critically important to understand how to secure it. The time to fix it is now.”

For more information about “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” see:
https://hello.neustar.biz/dnssec_report_it_security_lp.html

DNSSEC: New Hardware, New Key For .DE

DENIC logo[news release] After five years of productive operation with DNSSEC and the preceding testbed, time had come to replace the cryptographic hardware (Hardware Security Module, HSM) used for signing the .de zone. Since the private DNSSEC keys cannot – by definition – be read out from the HSM, the new HSM brings along new keys. This time a new Key Signing Key (KSK). While the Zone Signing Keys (ZSK) are already being replaced every five weeks, this is the first time for us to perform a complete KSK rollover. In the future, KSK rollovers will be implemented as required.

Need for Action: None
We have performed this action applying the “Double-DS” scheme as defined in RFC 6781, which is fully transparent for the validating resolver. With this scheme, two DS records remain valid for DE in the root zone for a transition period. “Double DS” is particularly suited when replacing the KSK and the HSM at the same time because it does not need double KSK signatures.

Dreams of the Future: Elliptical Curves
We have maintained the cryptographic parameters, in particular the algorithm (RSA) and the key length (2048 bit). Even though new solutions like elliptical curves (EC) offer advantages due to significantly reduced signature length, we think it is too early to switch to this solution at the TLD level. DENIC is involved in the related discussion in the standardisation and the operative communities.

Since September 2015, DENIC supports the registration of ECDSA and GOST keys for second level domains. About 250 of the currently roughly 50,000 signed .de domains make use of this EC procedure.

Good to know:
Also for the root zone, a KSK rollover is coming up. At present we are planning an implementation that will be finished in early 2018. An update of the root trust anchor is mandatory in this context for each validating resolver. The operators of these resolvers should obtain information from ICANN in due time and carry out the necessary update, if required.

This DENIC news release was sourced from:
https://www.denic.de/en/whats-new/news/article/dnssec-new-hardware-new-key/

ccTLD Updates: .NO Reaches 700,000, .KE Cuts Fees and New .FI Registry/Registrar Model

Norid UNINETT logoThe Norwegian ccTLD, .no, reached the 700,000 registrations milestone in late June with individuals adding significantly to the number of registrations since they were allowed to register domains in the ccTLD in June 2014.

But today the total number of registrations has dipped backed below the milestone and number 6999,876 of which 408,793 are DNSSEC secured.

Since June 2014 the number of .no domain names registered by individuals has reached 50,000.

Kenya Network Information Centre Kenic logoThe Kenya Network Information Centre (Kenic) has reduced the price charged to registrars for .ke domains to Sh650 ($6.40) per domain from Sh1,000 ($9.85); with a recommended retail selling price set at Sh1,000, according to a report in the Kenyan Business Daily.

There are also “plans to make it compulsory for new companies seeking registration to have a website as part of efforts to get at least half of local enterprises” to use the Kenyan ccTLD.

Kenic “also plans to make it possible to register for the domain name at any Huduma Centre countrywide.” Huduma Centres provide Kenyans access to various Public Services and information from One Stop Shop citizen service centres.

Ficora is transitioning to a new registry-registrar model and as part of the plans to implement the change .fi will undergo maintenance operations between 16:15 on 2 September and 10:00 on 5 September.

FICORA dot FI logoThe current domain name system and all related user IDs will cease to exist on Friday, 2 September at 16.15. This means that domain names cannot be modified between Friday, 2 September 2016 at 16.15 and Monday, 5 September 2016 at 10.00. Which also means it will not be possible to renew or change registrant information during this period. The new system which will only be for registrars will open at 10:00 on 5 September.

Other changes that will occur as a result of the new system will be that the registration of certain domain names currently banned by law will become available. Domain names that will become available include:

  • generic or country code top level domains
  • abbreviations of enterprise, foundation or association forms
  • expressions that are insulting or incite into criminal activity.

These restrictions are abandoned in the Information Society Code and the banned domain names will be released for registration on Wednesday, 7 September 2016 at 10.00. The release takes place on Wednesday in order to provide registrars a chance to check their account balance and deposit enough money to their account for the registrations.

Other changes for registrars include:

  • Those who have registered as registrars in the new system act as account administrators and can create new user IDs for other users within their organisation.
  • Users log in to the system by entering a user ID, password and one-time password that is sent via text message to the number provided by the user.
  • Domain name registration fees are charged to the deposit account which registrars may top up through their online bank, either via credit card or bank transfer. Users may set a balance alert which means that the system sends a message when the account balance falls below a chosen limit.
  • It is easy to keep a domain name holder’s details up to date since contact details are automatically updated to all of the holder’s domain names.
  • it is possible to set domain names to automatically renew once a year.