Tag Archives: DNSSEC

European ccTLD Registries Address Security Issues With ISO27001: CENTR News

CENTR small logoSecurity is an ongoing issue for the domain name system and TLD registries are at the forefront of dealing with it.

So in 2011 CENTR, on its members’ request, created a Security Working Group for ccTLDs to share security best practices and discuss ways to mitigate security risks, the latest CENTR News highlights.

At a recent workshop in Brussels and for the second time a workshop was dedicated to one topic only, the ISO 27001 security standard.

“Over the past few years I got a lot of questions from colleagues from other ccTLDs about ISO 27001,” Bert ten Brinke, Security Officer with SIDN, Chair of the CENTR Security working group and expert in the field of ISO 27001 told CENTR News. “After a short inventory, the idea was born to organise a workshop completely focused on ISO 27001.”

“ISO forces you to build a process to deal with security risks within and around your organisation and its core tasks,” reported CENTR News. “When everyone involved starts to operate according to this process an organisation’s security will become less dependent on individual employees. Bert ten Brinke feels this is the main reason why ISO 27001 increases the chance of a better secured registry.”

“There are alternative standards that can be useful for ccTLDs and it’s of course possible to build your own processes follow your own standards. But by doing so, you’ll risk having to explain your standard over and over again. Official standards don’t have that issue. They are already accepted and used by a whole community.

“For companies there are a lot of security standards which can be used. Examples are: the American COBIT (Control Objectives for Information and Related Technology), which is an IT governance framework that addresses every aspect of IT and the originally British ISO 27001(International Organization for Standardization). COBIT lays more focus on Risk Management and following Bert ten Brinke it is more difficult to implement than the ISO27001 standard.”

“It is important to build a standard according to your organisation and not the other way around”. This is Bert’s main advice for ccTLDs that are considering implementing systematic security processes by means of an official standard. Furthermore, in order to start implementing security processes in a successful way the full support of the CEO or Managing Director is crucial.

“An ISO certificate is an engagement for the future. When you are certified ISO27001 for the first time this is only the beginning. Each year you have to proof that you are ‘worth’ the certificate and after three years, you have to recertify. For most companies it’s a never ending circle of security improvement.

On registry to recently acquire ISO27001 certification was nic.at, the registry for .at domain names. The announcement was made at the recent Domain Pulse conference held in Salzburg, Austria, and Richard Wein, General Manager, said the certification was proof of the registry’s dedication to security of .at domain names.

Elsewhere in the February 2014 edition of CENTR News, there are articles on CENTR preparations for the next Internet Governance Forum meeting to be held in Istanbul in September. Plus an update on DNSSEC in Europe, which shows there are two-thirds (67%) of registries that have implemented the security standard and a quarter (26%) planning its implementation, which are the findings of a survey of 26 ccTLD registries.

Plus there is a Q&A with Nominet Brand Manager Becky Bradburn and a European ccTLD update.

To download the latest CENTR News, go to https://centr.org/news/european-cctld-news-february-2014.

.EE Registry Price Reduced 20%

.ee logoThe Estonian Internet Foundation will lower the price of a .ee domain by 20% from 1 January 2014, i.e. down to €12.

.ee domains can be registered for one, two or three years. The domain fee is €12, €23 or €33 in 2014, depending on the length of the registration period.

These are the domain registration prices that the Estonian Internet Foundation will charge from registrars. The price for the registrant is determined by the registrars. VAT will be added to the fee.

From the beginning of January, protection with the DNSSEC security extension will be available for .ee domains. DNSSEC protects Internet users and domain owners, offering them a guarantee that the user has not been unknowingly redirected from the requested homepage to another page. The Estonian Internet Foundation will not apply additional charges to this service. More information about DNSSEC can be found on the Foundation’s homepage at www.internet.ee.

This Estonian Internet Foundation news release was sourced from: www.internet.ee/en/

Strategic Plan to Promote DNSSEC Launched by Afnic

AFNIC logo[news release] To improve the protection of the French Internet against attacks on its DNS infrastructure, Afnic calls for an acceleration in the deployment of DNSSEC.

DNSSEC, a protocol that improves the security of DNS against different types of attacks seeking to divert traffic from websites, was made available to the .fr TLD by Afnic in September 2010. Backed by its expertise and as part of its task as the registry for the .fr ccTLD, Afnic wants to encourage innovation in the .fr namespace and further strengthen the security of the Internet Infrastructure in France. With this aim in mind, the registry has decided to undertake a major campaign to promote DNSSEC for the key stakeholders in DNS resolution.

The strategic plan is based on several action levers, the initial initiatives being as follows:

  •  A financial incentive scheme. Until 31 December 2013, Afnic is offering its accredited registrars a 10% discount on the price of creation and keep options for DNSSEC signed domain names under the .fr TLD.

For Mathieu Weill, CEO of AFNIC “By allocating human and financial resources to the promotion of DNSSEC among our registrars, we are illustrating our support for French stakeholders in putting the .fr ccTLD on the leading edge in security.

This Afnic news release was sourced from:

Six More ccTLDs Signed With DNSSEC

They may only be some of the smaller ccTLDs around the world, but six more have been signed with DNSSEC and now have DS records in the root zone, according to a post on the ISOC website.

This means that people and businesses with domains registered in these ccTLDs can now receive the higher level of security possible with DNSSEC. The ccTLDs are:

The post notes for registrants that have a domain registered in those ccTLDs, their registrar should now be able to pass the required DS record up to the ccTLD registry.

As the ISOC post notes, congratulations to Garth Miller and the teams associated with the various TLDs for making these signed TLDs happen. As per ICANN’s TLD Report, 111 out of 318 TLDs are now signed which is excellent progress.

ISOC Collaborates with Shinkuro and Parsons to Promote Global Deployment of DNSSEC

Internet Society - ISOC - logo[news release] The Internet Society today announced it has signed a Memorandum of Understanding with Shinkuro and Parsons to collaborate on multiple initiatives to promote the global deployment of Domain Name System Security Extensions (DNSSEC).

Few technologies are more critical to the operation of the Internet than the DNS, and DNSSEC provides a way to ensure online connections are with the correct website or service.  The Internet Society Deploy360 Programme, www.internetsociety.org/deploy360/, provides deployment information and resources for key Internet technologies such as DNSSEC, IPv6, and Routing Resiliency and Security.  Shinkuro and Parsons—which acquired  SPARTA, Inc., a leading provider of advanced systems engineering, cybersecurity, and mission support services in November 2011—have been working together with other groups as the DNSSEC Deployment Initiative with funding from the U.S. Department of Homeland Security Science and Technology Directorate.

The Internet Society’s Deploy360 Programme and the DNSSEC Deployment Initiative have collaborated in the past, and this MOU is a formal endorsement of their cooperative arrangement.  By joining forces, these organizations will share expertise and maximize efforts to encourage a greater understanding of DNSSEC and its importance to the future of the Internet.  Joint activities include DNSSEC educational and awareness programmes, development and support for tools to facilitate global deployment and operation of DNSSEC, and participation in DNSSEC events worldwide.

“We are delighted to be working with the teams at Shinkuro and Parsons to increase awareness of DNSSEC and support its deployment,” said Leslie Daigle, Chief Internet Technology Officer, Internet Society.  “The Internet needs the trust layer that DNSSEC can provide and by bringing the community together in an open, multi-stakeholder way we will be able to help make this happen. We look forward to moving ahead on our joint initiatives.”

“Shinkuro is excited the Internet Society is lending its weight and prestige to foster full deployment and use of DNSSEC,” said Steve Crocker, Shinkuro’s CEO.

“Parsons, a leader in DNSSEC research and development, is pleased to join forces with the Internet Society to promote expanded use of this important technology,” stated Mary Ann Hopkins, Parsons Group President. “Internet security is a global issue and requires significant cooperation and coordination.”

About the Internet Society
The Internet Society is the trusted independent source for Internet information and thought leadership around the world. With its principled vision and substantial technological foundation, the Internet Society promotes open dialogue on Internet policy, technology, and future development among users, companies, governments, and other organizations. Working with its members and chapters around the world, the Internet Society enables the continued evolution and growth of the Internet for everyone. For more information, visit www.internetsociety.org.

About the DNSSEC Deployment Initiative
The DNSSEC Deployment Initiative is jointly led by teams from Shinkuro and Parsons in collaboration with the Advanced Network Technologies Division of NIST. It is funded by the U.S. Department of Homeland Security Science and Technology Directorate under an Interagency Agreement with the Air Force Research Laboratory. For more information, visit www.dnssec-deployment.org.

About Shinkuro
Shinkuro is a U.S.-based research and development company focused on Internet security and collaboration technology for sharing information across organizational boundaries. For more information, visit www.shinkuro.com.

About Parsons
Parsons, celebrating nearly 70 years of growth in the engineering, construction, technical, cyber, and professional services industries, is a leader in many diversified markets with a focus on transportation, environmental/infrastructure, defense/security, and resources. For more about Parsons, please visit www.parsons.com.

About Department of Homeland Security Science and Technology Directorate
The Department of Homeland Security Science and Technology Directorate’s mission is to support basic and applied homeland security research to promote revolutionary changes in technologies; advance the development, testing, evaluation, and deployment of critical homeland security technologies; and accelerate the prototyping and deployment of technologies that address homeland security vulnerabilities across the Homeland Security Enterprise.

This ISOC news release was sourced from:

Last Contractual Hurdle Cleared in New gTLDs Introduction With Board Approving Registry Agreement

The ICANN New gTLD Program Committee of the ICANN Board of Directors has approved the 2013 Registry Agreement (RA) meaning the introduction of new generic Top Level Domains have moved a step closer.”New gTLDs are now on the home stretch,” said Chris Disspain, a member of ICANN’s New gTLD Program Committee, in a statement. “This new Registry Agreement means we’ve cleared one of the last hurdles for those gTLD applicants who are approved and eagerly nearing that point where their names will go online.”Among the key points in the new Registry Agreement:

  • Includes a Trademark Clearinghouse that will serve as a one-stop shop where trademark holders can protect their rights.
  • Provides for a process for a rapid, efficient way to take down infringing domain names.
  • Provides a procedure where trademark rights holders can assert claims directly against a registry operator for domain name abuse if that operator has played an active role in the abuse.
  • Requires registry operators to have a single point of contact responsible for handling abuse complaints.

“We’re getting to the point now where new gTLD applicants can see the finish line,” said Akram Atallah, President of the ICANN’s Generic Domains Division. “Much like the 2013 Registrar Accreditation Agreement approved by the Board last week, this new Registry Agreement is the culmination of input from a wide range of stakeholders and marks a dramatic improvement over the previous baseline agreement.”The New gTLD Registry Agreement is intended to enhance the security and stability of the Domain Name System while bolstering competition in domain name industry. The security provisions include:

  • A requirement that registry operators implement Domain Name System Security Extensions (DNSSEC), reducing so-called “man-in-the-middle” attacks and spoofed DNS records.
  • A requirement of enhanced WHOIS service at the registry level with a common interface, and more rapid search capabilities, facilitating efficient resolution of malicious activities.

“This isn’t just a gradual step forward,” said Atallah. “This is a major move that translates to far greater security protections.”

ccTLD Updates for .xxx, .pw, .ru, .fr, .nl, .ee, vn, .be, .no

“What has really happened as a result of .XXX?” one year on from its launch is the focus of an article on Xbiz.

The article notes that “among other things, new sites have come to market, new companies have formed to capitalise on new opportunities in the adult space and a level of accountability and oversight added to an industry that has long shunned supervision of any sort — while the majority of trademark disputes have been swiftly resolved in favour of the legitimate rights holders.”

And it notes that ICM Registry’s Stuart Lawley claims .XXX “has comfortably exceeded the company’s sales expectations — based on the figures it communicated back in 2003 and 2004 in its original application to ICANN.” ICM also believes renewal rates will be high, even though the first anniversary is not quite here.

The .pw ccTLD is relaunching being branded as ‘the Professional Web, with the new registry opening up a 68-day sunrise programme as of 3 December. The sunrise offers some unique features aimed at reducing overhead for brand-owners.

A guest posting on DomainNameNews from Kate Moran of TM.Biz, .pw’s trademark validation agent, looked at trademark validation for .PW. Unsurprisingly the posting considers .pw a leader, saying “the .pw registry is proposing to protect not only exact matches, but also any domain containing the trademark, misspellings, abbreviations and language translations of the validated trademark. The trademark validation agent, TM.Biz is coupling these rules with automated searches of 70 trademark databases.”

On 4 December, the Coordination Center for TLD RU/РФ and the Technical Center of Internet generated DNSSEC keys for .RU, one of the two Russian national domains. A formal event signified the first phase of signing .RU with DNSSEC, with all works expected to be finalised by the end of December 2012.

The .FR registry, Afnic, has released their December 2012 Domain Name Industry. The latest report looks at the growth rate for IPV6-compatible .fr domain names. In the report Afnic focuses on the success rate of Syreli claims in relation to the age of the domain name. Everything suggests that rights-holders are reactive and quickly intervene to enforce their rights via the Syreli procedure. The full report is available from the Afnic website here.

SIDN, the .nl registry, has published their final report of the 2012 Domain Name Debate. The debate examined issues such as availability of registrant’s details from Whois and drop catching. To check out the final report, check out the SIDN website here.

The price to registrars of .ee domain names will be cut by 11.8 percent on 1 March 2013, which will see the price cut from €17 to €15. Maximum registration periods will also be extended with options of two and three years.

Registrations of .vn domain names hit225,970 in the third quarter of 2012 according to VNNIC’s white paper on Vietnam’s internet.

Alternative Dispute Resolution celebrated its tenth birthday on 12 December, the .be registry dns.be announced. To mark the occasion, Cepina (the Belgian Centre for Arbitration and Mediation) organised a symposium in conjunction with DNS.be.

Norid, the registry for .no domain names, is again receiving reports on a company who tries to force Norwegian companies to buy domain names. The service is said to be offered to protect a company name or brand.

The issue may be a proposal to register a domain name within other top level domains, such as .com or .as, or they may suggest to register the domain name in different spellings, for instance with and without a hyphen. The company who offers services like this, often tells a story about other actors interested in buying the domain name, and that they need a quick decision.


.FI Exceeds 300,000 in Finland, But Low DNSSEC Deployment

Dot FI logo[news release] Finnish domain name applicants favour reliability and Finnish origin in their choice of domain name, because the demand of fi-domain names has remained high. The popularity of the fi-domain name does not reflect on their information security, because only a fraction of domain name holders deploy the Domain Name System Security Extensions (DNSSec) FICORA has offered for a year now.

About 52,000 new domain names are granted each year, but despite the success of the fi-domain name, the deployment of the DNSSec extension is at its infacy in Finland. There are only 63 domain names protected by DNSSec, which is very low in the international comparison. For example, as many as 145,000 Swedish domain names ending with .se use DNSSec extension. The world’s fourth most common top-level country code, the Netherlands’ .nl domain has more than a million domain name holders using the DNSSec.

DNSSec (Domain Name System Security Extensions) is an extension improving the information security of the name service, which ensures the origin and integrity of the information received from the name server. When DNSSEC is in use, responses to name system queries are digitally signed. DNSSEC ensures that responses to name system queries come from the right sender and that the response information has not been modified. This guarantees that people using the internet are only shown the actual website that they intended to call up.

FICORA recommends strongly that fi-domain name holders deploy DNSSec. More information on the extension can be found at domain.fi. Domain name holders may inquire about the DNSSec support from their service provider.

To continue reading this FICORA news release, go to:

More than one million .NL domain names secured with DNSSEC

SIDN Company Behind NL logo[news release] SIDN, the company behind .nl, announced today that the Dutch country-code domain now has more than 1 million DNSSEC domain names. This milestone is reached exactely one month after the .nl domain became the internet domain with more DNSSEC-secured domain names than any other domain on the internet.

As the internet’s roadmap, the DNS has always been vulnerable to criminal threats such as cache poisoning and ‘man-in-the-middle’ attacks by unidentified parties. The perpetrators of such attacks can divert internet users to fake websites or intercept e-mail, even though the correct domain name  is used. These vulnerabilities were underestimated until 2008, when Dan Kaminsky demonstrated that the DNS was easy to manipulate. Kaminsky’s revelations gave urgency to the worldwide rollout of DNSSEC, which had been in progress for some time. DNSSEC tackles the problems identified by Kaminsky. It provides a method for ascertaining whether an incoming DNS response is authentic and originates from the right source. The practical outcome of that is that the DNS is more reliable. In July 2010, ICANN signed the root zone and a month later SIDN followed suit by signing the .nl zone with DNSSEC. Once that had been done, early adopters had the opportunity to have trust anchors added to the .nl zone file during a Friends & Fans phase. On 15 May 2012, SIDN implemented DNSSEC in its Domain Registration System, making it possible for .nl registrars to automate the processes of signing domain names. Detailed information about DNSSEC is available from www.dnssec.nl (in Dutch only).

This SIDN news release was sourced from: