Tag Archives: DNSSEC

AusRegistry: Latest Behind The Dot Examines .AU Security And Global Cyber Threats

With internet security becoming an ever growing threat and ever more important issue, the latest issue of the quarterly Behind the Dot: State of the .au Domain [pdf] from AusRegistry examines these issues with a focus on .au (Australia).The publication includes a few articles by yours truly on Protecting Australia’s Internet with DNSSEC and interviews with Dr Jason Smith, Technical Director at CERT Australia on Responding to a cyber incident and an interview with Robert Schischka, Technical Manager at nic.at about nic.at’s experiences implementing DNSSEC.There are also articles on an update on .au registration numbers, malware, global domain hijacking incidents being a menace to major brands, protecting your domain from cyber threats, predictions for the .au namespace for 2016 and government and policy.Writing on the AusRegistry website, Adrian Kinderis, CEO of AusRegistry says:
A significant tool for protecting our country’s online ecosystem has been the implementation of DNS Security Extensions, otherwise known as DNSSEC. In this edition, we’ve examined DNSSEC in detail to outline how it works and who should consider implementing it.Online security is not however, an issue solely for Registries. Major brands and individuals alike can and should take essential steps to ensure their data, assets and reputations are protected from online attacks. This edition of Behind the Dot contains a close look at some of the major global brands that have been threatened by hijackers; as well as some of the risks to individual domain name registrants and some tactics for addressing them.We’ve also called upon some of Australia’s leading security experts for their tips and insights on staying safe online. CERT Australia Technical Director, Dr Jason Smith gives us his views on cyber security issues affecting critical infrastructure, while Bruce Matthews, Cyber Security Manager at the Australian Communications and Media Authority (ACMA) provides an overview of the Australian Internet Security Initiative. Finally, Robert Schischka of nic.at, the Registry for the Austrian country code Top-Level Domain, offers an international perspective on DNSSEC.In addition, we’re delighted to have the contribution of a number of our .au Registrars in this edition, to give their predictions for the year ahead in .au and the domain name industry abroad. We look forward to continuing this inclusion of Registrars in future editions and encourage your input.

What Was Involved In Making .AU More Secure With DNSSEC

The .au (Australian) ccTLD implemented DNNSEC at the end of 2014, joining the vast majority of TLDs, including all new gTLDs. Adam King, auDA‘s Chief Technology Officer, spoke at theAustralian Internet Governance Forum(auIGF) in Melbourne, Wednesday, which is organised by the .au policy and regulatory body. Adam was on a panel speaking about DNSSEC and online security in Australia. I spoke to Adam on the sidelines of the auIGF after his presentation on auDA’s experiences in implementing DNSSEC.DG: In December 2014 auDA implemented DNSSEC – What was the reason for introducing this new security?
AK: We needed to sign DNSSEC to enable .au to move forward and become a more secure namespace. So far all the ccTLDS of OECD member countries are signed with DNSSEC, so from both a security perspective and to remain competitive with other ccTLDs, it needed to happen. And of 1071 TLDs, 908 including all new gTLDs as mandated by ICANN, are currently signed.DG:How was the process?
AK: The technical side of signing wasn’t the difficult part. The difficult and time consuming part was developing the policies and processes for signing the zone and how auDA would manage the cryptographic keys. That’s because you’re now dealing with private key information and you’re using it to create a layer of trust, so this information must be kept secure.DG:What’s the difference for domain registrants?
AK: At the moment not too much because it’s not ubiquitous, but auDA needed to sign .au to create the opportunity for registrants to be able to sign their own domain names. But it’s a process with several steps.To make the service widely available, hosting companies need to start making DNSSEC signing services available to their customers. DNSSEC validation is on by default in all the current versions of name server software therefore any ISP (or business operating their own resolver) running the latest versions are performing validation – unless they are using a Windows resolver or have explicitly turned validation off. For hosting companies it is a little more involved, they need to replicate the processes auDA went through (generating key pairs, developing policy and signing procedures to protect their private keys) but obviously on a larger scale as they may have hundreds or thousands of zones to be signed. It’s certainly possible, Comcast in the USA were able to achieve this. Comcast provide validation for 17.8 million residential customers and have signed all 5,000 domain names under their management.DG:When all this is done, what will the benefits be to .au domain registrants and internet users?
AK: Once it’s enabled everywhere, as long as the ISPs or corporate resolver has DNSSEC validation enabled, it will perform all the validation checks to protect internet users from two of the main DNS attack vectors – cache poisoning and man-in-the-middle attacks. The checks occur without the end user doing anything. It all goes on behind the scenes and is so quick the user doesn’t even realise it’s happened. It guarantees that the answer to the question asked, that is the domain name requested, has not been modified or tampered in transit from the authoritative server to the ISP’s resolver.What it doesn’t do is that it doesn’t provide encryption, so what one looks up and visits is still visible in the DNS, and it doesn’t protect from viruses or DDOS attacks.So it’s not a silver bullet for protection online, but what it does protect against, it does so very well. And internet users are much safer as a result.auDA is the host of the auIGF each year and announcements on the 2016 security focused panels will be announced at the start of the year. You can register to hear more about how to get involved by emailing auigf@auda.org.au to be added to the mailing list.

ICANN: Design Team Review of Plan for DNS Root Zone KSK Change

ICANN logoBrief Overview

Purpose: This public comment proceeding seeks to review the Design Team’s findings to date related to issues and plans for changing the cryptographic key used to originate the DNSSEC chain of trust.

Current Status: The Design Team has generated a preliminary report and will accept wider review.

Next Steps: After the public comment proceeding, the Design Team will finalize its report and plan for changing the cryptographic key.

Section I: Description, Explanation, and Purpose

A design team consisting of seven independent DNS experts has produced a report examining previously proposed schemes for changing the DNSSEC root zone KSK, along with considerations related to Internet realities, in preparation for finalizing plans to change the current Root Zone KSK.

Section II: Background

In 2010, the Root Zone Management Partners (ICANN, Verisign, and NTIA) introduced the DNS Security Extensions to the operational root zone. After five years of operation, there is a requirement to change the top most cryptographic key in the hierarchy, the key called the Root Zone Key Signing Key. The challenge is to ensure that all copies of the publicly distributed key are updated to prevent disruption to DNSSEC protection of the DNS.

Section III: Relevant Resources

This ICANN announcement was sourced from:
https://www.icann.org/public-comments/root-ksk-2015-08-06-en

ICANN Successfully Completes Two Independently Conducted Service Organization Control Audits

ICANN logoICANN today announced that it has achieved the Service Organization Control (SOC) 3 certification, formerly known as Systrust, of its Domain Name System Security Extensions (DNSSEC) Root Key Signing Key systems for the fifth consecutive year.
The organization also successfully completed its second SOC 2 audit, which evaluates key systems used to support IANA transaction processing functions. International accounting firm PricewaterhouseCoopers (PwC) conducted both audits.

“Annual independent audits represent one of a number of ways ICANN is striving to measure business excellence and enhance accountability,” said Elise Gerich, ICANN‘s vice president of IANA & technical services. “We are committed to delivering a high standard of work and a program of continuous improvement in all areas of operation.”

Read the blog post about ICANN‘s commitment to continuous improvement and enhancing accountability mechanisms in relation to the IANA functions.

About SOC Audits

SOC audits evaluate an organization’s controls in relation to “trust services principles and criteria” developed and managed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Learn more: iana.org/audits.

About ICANN

ICANN‘s mission is to ensure a stable, secure and unified global Internet. To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. ICANN was formed in 1998. It is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers. ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet. For more information please visit: www.icann.org

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2015-04-02-en

Global Domain Growth Slows To Almost Half Of Two Years Ago: Verisign

The number of domain names around the world continues to grow, but the growth continues to slow even as new gTLDs add over 4.5 million registrations in the last 12 months.Four million domain names were added to the internet in the fourth quarter of 2014, bringing the total number of registered domain names to 288 million worldwide across all top-level domains as of 31 December, 2014, according to the latest Domain Name Industry Brief.The increase of four million domain names globally equates to a growth rate of 1.3 percent over the third quarter of 2014. Worldwide registrations have grown by 16.9 million, or 6.2 percent, year over year.This compares to an increase of five million domains in the fourth quarter of 2013 and 6.1 million in the fourth quarter of 2012, equating to growth rates of 1.9 and 2.5 percent respectively over the previous quarters. On a yearly basis worldwide registrations grew by 18.5 million, or 7.3 percent, in 2013 and 26.6 million, or 11.8 percent in 2012, year over year.The .com and .net TLDs experienced aggregate growth in the fourth quarter of 2014, reaching a combined total of approximately 130.6 million domain names in the domain name base for .com and .net. This represents a 2.7 percent increase year over year. As of 31 December the base of registered names in .com equalled 115.6 million names, while .net equalled 15.0 million names.New .com and .net registrations totalled 8.2 million during the fourth quarter of 2014. In the fourth quarter of 2013, new .com and .net registrations totalled 8.2 million, and 8.0 and 7.9 million in the corresponding quarters in 2012 and 2011.Total ccTLD registrations were 134.0 million domain names, a 1.5 percent increase quarter over quarter, and an 8.7 percent increase year over year. The corresponding figures for two years ago were a 4.2 percent increase quarter over quarter, and a 13.2 percent increase year over year in the base.The order of the top TLDs in terms of zone size changed slightly when compared to the third quarter, as .nl (Netherlands) moved up a ranking from the tenth-largest TLD to the ninth-largest TLD, resulting in .info moving down one ranking to the tenth-largest TLD.Among the 10 largest ccTLDs, .tk (Tokelau) grew the fastest, with 4.0 percent overall quarter-over-quarter growth. At the end of December there were 285 global ccTLD extensions delegated in the root (including Internationalised Domain Names), with the top 10 ccTLDs composing 67.2 percent of all ccTLD registrations.At the end of the fourth quarter of 2014, 478 new gTLDs were delegated into the root; 65 of which were delegated during the fourth quarter of 2014. New gTLD registrations totalled 3.6 million, or 2.3 percent of total gTLD registrations.During the fourth quarter of 2014, Verisign’s average daily Domain Name System (DNS) query load was 110 billion across all TLDs operated by Verisign, with a peak of 146 billion. Compared to the previous quarter, the daily average decreased 3.7 percent and the peak decreased 54.0 percent. Year over year, the daily average query load increased 33.5 percent and the peak query load increased 47.1 percent. Two years ago the query load was 77 billion across all TLDs operated by Verisign with a peak of 123 billion.The report also includes a short article on understanding the implications of the DNS control plane and the full benefits of DNS Security Extensions (DNSSEC) can help to minimise your attack surface and enhance your security posture.An archive of Verisign Domain Name Industry Briefs is available from:
www.verisigninc.com/en_US/innovation/dnib/index.xhtml

Over One Third Of .NL’s 5.5 Million Domains Secured By DNSSEC

SIDN Company Behind NL logo[news release] The number of signed .nl domains today reached the two million mark. That means that 36 per cent of .nl’s 5.5 million-plus domains are now secured by DNSSEC. The Netherlands’ global lead in this field is largely down to our biggest registrars, who have signed their clients’ domains in bulk.

DNSSEC gesignde .nl-domeinnamenIt is only a few months since we proudly announced that one third of all .nl domains were signed. The latest jump is thanks mainly to the activities of two registrars:  Yourhosting and Antagonist.

Yourhosting

“This week, our subsidiary Yourhosting started signing domains,” explains Bart Carlier, Yourholding’s General Manager. “We’re now up to more than a hundred thousand. Over the next few weeks, the remainder of the .nl domains that we manage for our clients will follow. Security is one of our main focuses. DNSSEC is a vital part of the protection that we provide and something that the market is pushing strongly for.”

“The main challenge was the complexity of integrating DNSSEC into our backend processes. We worked closely with the people at  PowerDNS to get everything sorted.”

Antagonist

“We are currently signing all our domains,” says Wouter de Vries, Antagonist’s founder. “We have nearly 65,000 .nl domains, the majority of which we also manage. All those names are going to be signed.”

“Here at Antagonist, we are very security-minded. Our new Patchman service is a good example of that. DNSSEC is another important feature of our security strategy. It’s good that the Netherlands is leading the way when it comes to the application of DNSSEC. But we are pressing ahead with the signing of domains under other TLDs as well, in parallel with what we’re doing under .nl.”

Like Yourhosting, Antagonist uses PowerDNS. “We switched from Bind to PowerDNS quite some time ago. It’s a really good package, especially for large-scale applications. We’ve been using it for some years and we’re very satisfied with it.”

Implementation

“For registrars, the key question is how to implement DNSSEC in their environments,” explains Michiel Henneke, Marketing Manager at SIDN. “The best way to go about it very much depends on which DNS software and control panel you use. The general experience is that it’s easiest to concentrate on the DNS software first. Once that is working the way you want, you can turn your attention to the control panel. The Netherlands is very much ahead of the game where DNSSEC is concerned, so control panel suppliers are still in the process of integrating DNSSEC support into software.”

“Fortunately, we have a substantial number of registrars who have already introduced DNSSEC and are willing to share their experience with others. (cases of dnssec ) As a result, registrars who already use PowerDNS have a good idea of how long implementation should take and what the risks are.”

Software support

“SIDN’s incentive scheme has certainly been an important driver for the introduction of DNSSEC,” continues Henneke. “We benefited from seeing how the Czech Republic and Sweden had incentivised registrars. It’s been so successful that we have recently extended our scheme to run until the end of 2018. The growth of DNSSEC has also been fuelled by the requirement that new gTLDs must support DNSSEC right from the start.”

“We are now looking at how we can make it easier for registrars who work with resellers to implement DNSSEC. How do you enable a reseller who manages maybe a couple of thousand domains to easily sign domains registered through a registrar that supports DNSSEC? Small businesses can’t easily afford to develop their own solutions and consequently tend to be dependent on the software suppliers. We are therefore pressing the software houses to integrate DNSSEC support into their products. Full adoption of DNSSEC depends on them.”

This SIDN news release was sourced from:
https://www.sidn.nl/a/internet-security/two-million-nl-domains-now-signed

Norwegian DNS Becomes More Secure

[news release] Norid UNINETT logoFrom 9 December Norwegian domain names can be secured with DNSSEC. This means that an end user can know for sure that he arrives at the correct web page when he looks up a domain name.DNSSEC (DNS Security Extensions) is a security extension to the domain name system (DNS). DNSSEC protected domains are cryptographically signed, and this makes it possible to check that the reply to a domain lookup comes from the correct source of origin, and that the lookup remains unchanged. The purpose is among other things to prevent a scammer to falsify an answer in order to send an end user to a fake web page.In addition to making it more secure to use domain names, extensive use of DNSSEC in the domain name system will prepare the grounds for new services that have to trust safety critical data in DNS.

&nash; DNSSEC increases the security, but at the same time it demands more competence from the people running the name service for a domain. We still think that the technology now is mature enough to be used as an upgrade of the infrastructure, says Hilde Thunem, Managing Director in Norid.

Norid is now offering DNSSEC, and encourages registrars to use the service, but the mechanism will not be activated autmatically for all Norwegian domains. So far 16 registrars offer DNSSEC.

This Norid news release was sourced from:
www.norid.no/nytt/dnssec-lansering.en.html

DENIC implements secure and confidential e-mail communication based on DANE and DNSSEC

[news release] The .DE registry and managing organization, DENIC, is among the early adopters who have implemented the technology labelled DANE with the objective to secure e-mail communication. Having been developed by the Internet Engineering Task Force (IETF) as an open standard, DANE is a powerful tool to encrypt data traffic between mail servers and to verify the identity of the involved servers, in a reliable manner.

For the German version, see: www.denic.de/denic-im-dialog/pressemitteilungen/pressemitteilungen/3947.html

DANE interlinks conventional certificates (a sort of electronic “identity cards”) with the Internet’s “directory service”, the Domain Name System (DNS). The e-mail transport encryption enabled by DANE and based on the security extensions DNSSEC effectively eliminates the risk of e-mails or messages being redirected or intercepted, as a result of man-in-the-middle interference. DANE for e-mail is an essential step towards securing Internet communications end-to-end for everyone.

The .DE top level domain has been signed with DNSSEC since 2011 already, when DENIC established one of the fundamental bases paving the way for the practical use of DANE, in Germany. For more details on how DNSSEC can be implemented technically, domain holders are referred to their Internet service providers.

Background Information

About DANE

DANE (DNS-Based Authentication of Named Entities) is described in RFC 6698, a specification issued by the Internet Engineering Task Force (IETF). Using DANE enables so-called X.509 certificates to be stored in the Domain Name System (DNS). The purpose of X.509 certificates is to confirm the identity of a webserver (or other systems). Linking certificates to the DNS creates a number of new options:

  1. By publishing a root certificate, the server operator can state which Certificate Authority (CA) he relies on, thus which organization is authorized to issue digital certificates for his servers. In case another CA issues such certificate either maliciously or as a result of a manipulation of its systems, but without the operator’s express consent, the Internet user will be alerted accordingly.
  2. Where self-signed certificates are used, with no CA services involved, a second channel is established by the certificate being publication via the DNS. This enables the application to validate and accept such certificate.
  3. Additionally, DANE allows using different certificates (and thereby different cryptographic parameters) for services which can be accessed via the same host name (such as mail, web or instant messaging).

Currently DANE is used, particularly in Germany, to control encrypted communication between mail servers. Further applications are presently undergoing standardization procedures within the IETF. Among the applications currently being extended using DANE are end-to-end encryption and digital signing based on the S/MIME process.

About DNSSEC

The Domain Name System (DNS) as it was originally designed does not provide for any authentication of the distributed information. Communication between name servers and Internet applications (such as web browsers or VoIP phones) is not completely safe against third-party tampering. Over the past years, various attack scenarios have been described, which keep being refined by attackers. By adding digital signatures to the DNS, DNSSEC (short for DNS Security) helps protecting DNS data. These signatures make sure that responses to application requests are identical to the data published by the responsible DNS administrator, in their name servers. The root of the DNS hierarchy has been DNSSEC secured since 2010, with the .DE domain managed by DENIC following up in 2011.

This DENIC news release was sourced from:
http://www.denic.de/denic-im-dialog/pressemitteilungen/pressemitteilungen/3947.html

CIRA Introduces DNSSEC To Protect Canadians Online

CIRA dotCA logo[news release] The Canadian Internet Registration Authority, the organization that manages the .CA domain, is making the Internet safer for all Canadians with the implementation of DNSSEC, the latest in a string of new security measures rolling out in 2014.

Half of Canadians would rather deal with .CA than a .COM website when it comes to online activities that require the disclosure of personal information, such as shopping or banking, according to CIRA’s 2014 Internet Factbook.

DNSSEC builds a “chain of trust” between users and the websites they wish to visit. It helps counter malicious online activities such as DNS spoofing and man-in-the-middle (MITM) attacks. These fraudulent activities are usually intended to capture personal information, such as bank account logins.

.CA is just one link in this chain of trust. Other stakeholders in Canada’s Internet ecosystem must now take action to protect .CA websites, and Canadian consumers and businesses.

“The success of DNSSEC now depends on implementation at the system level by players throughout the Internet ecosystem,” said Byron Holland, President and CEO of CIRA. “The full implementation of this ‘chain of trust’ is required to improve the safety and reliability of the Internet infrastructure that has become so vital to the economic and social fibre of our nation. I applaud those stakeholders that have already embraced DNSSEC.”

Visit this website to learn more about how DNSSEC works and how to make your .CA web address part of the chain of trust.

Domain Registrars also have a role to play as service providers who help Canadian businesses and individuals secure their .CA domain names with DNSSEC. easyDNS was one of the first accredited DNSSEC Registrars in Canada.

“Our focus at easyDNS is to offer our members DNS capabilities that meet their needs, and offer them and their customers the best – and safest – experience possible,” said Mark Jeftovic, President and CEO. “The foundation of this rests on trust. With the offering of DNSSEC, our clients can trust that .CA, is a secure choice. Kudos to CIRA for taking this step, and we’re proud to be one of the first in Canada to offer this service to our members.”

About CIRA

The Canadian Internet Registration Authority (CIRA) manages the .CA top-level domain, Canada’s online identifier, on behalf of all Canadians. A Member-driven organization, CIRA also facilitates the development of a better Internet for all Canadians, and represents the .CA registry internationally.

This CIRA news release was sourced from:
www.cira.ca/news/news-releases/dnssec/