Tag Archives: DNSSEC

Implementing DNSSEC

Cisco’s The Internet Protocol Journal has published an article titled Implementing DNSSEC explaining the challenges that are involved with DNSSEC and what experience the early adopters have gathered and documented.

The article by Stephan Lagerholm and Torbjörn Eklöv, both DNS architects with significant DNSSEC experience, looks at “cache poisoning” techniques that were discovered a few years ago. The article says “you have most likely heard that Domain Name System Security Extensions (DNSSEC) is the long-term cure. But you might not know exactly what challenges are involved with DNSSEC and what experience the early adopters have gathered and documented. Perhaps you waited with your own rollout until you could gather more documentation about operational experiences when rolling out DNSSEC.”

This article summarises Lagerholm and Eklöv’s experiences, including lessons learned from implementing the technology in production environments, and discusses associated operational concerns.

To read this article, Implementing DNSSEC, in full by Stephan Lagerholm and Torbjörn Eklöv in Volume 13, Number 2, of Cisco’s The Internet Protocol Journal, see:
www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-2/132_dnssec.html

Independent Studies Examine Far-Reaching Benefits of DNSSEC

VeriSign logoResults to Be Presented During Webinars on December 14 and 16

[news release] New Forrester Consulting studies, commissioned by VeriSign, Inc., examine trends in Domain Name System (DNS) security and their impact on hardware and software vendors. Based on an October 2010 survey of enterprise and SMB companies in the US, UK, Germany, Brazil, India and Japan, the studies outline user demand, and hardware and software vendor plans with regards to the incorporation of DNS Security extensions (DNSSEC) into their infrastructures.

The studies feature new research devoted to gauging vendor attitudes toward DNSSEC and the adoption of DNSSEC in the hardware and software communities. DNSSEC is used to authenticate DNS data to help prevent cache poisoning and man-in-the-middle attacks.

VeriSign will host a webinar on Dec.14 to outline key findings from the Forrester study for hardware vendors. Cisco Systems executives Joe Dallatore, Sr. Manager, Security Research and Operations group, and Patrik Fältström, Distinguished Consulting Engineer in the Office of the CTO, will also participate. In addition, VeriSign will host a webinar on Dec.16 to outline key findings from the Forrester study for software vendors.

Following the webinars, white papers will be publicly available at http://www.verisign.com/dnssec.

“The Internet is an increasingly critical infrastructure for our government, economy, society and national security, which is why it’s so important that the entire Internet community adopt DNSSEC,” said Pat Kane, Assistant General Manager of Naming Services at VeriSign. “If hardware vendors, software companies, ISPs, registries and registrars work collaboratively, it will help to facilitate a smooth, widely effective implementation of DNSSEC.”

Among Forrester’s key findings:

  • A significant number of companies saw substantial customer demand for DNSSEC in the last 12 months
  • A high percentage of companies said they already support, or are currently testing support for DNSSEC
  • The majority of companies believed support for DNSSEC could be implemented within six months
  • Three quarters of the companies indicated a desire to participate in VeriSign’s DNSSEC Interoperability Lab

DNSSEC applies digital signatures to DNS data to authenticate the data’s origin and verify its integrity as it moves throughout the Internet. The security extensions are designed to protect the DNS from attacks intended to redirect queries to malicious sites by corrupting DNS data stored on recursive servers. The successful implementation of DNSSEC will eliminate a hacker’s ability to manipulate DNS data. The resulting digital signatures on that DNS data are validated through a “chain of trust.”

VeriSign, in collaboration with the U.S. Department of Commerce and ICANN, deployed DNSSEC in the DNS root zone in July. In addition, the company deployed DNSSEC in the .edu zone in August. VeriSign expects to sign .net by the end of this year and .com by the end of the first quarter of 2011.

About VeriSign
VeriSign, Inc. is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign enables companies and consumers all over the world to connect online with confidence. Additional news and information about the company is available at www.verisign.com.

Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 as amended and Section 21E of the Securities Exchange Act of 1934 as amended. These statements involve risks and uncertainties that could cause VeriSign’s actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as increasing competition, pricing pressure from competing services offered at prices below our prices and changes in marketing practices including those of third-party registrars; the current global economic downturn; challenges to ongoing privatization of Internet administration; the outcome of legal or other challenges resulting from our activities or the activities of registrars or registrants; new or existing governmental laws and regulations; changes in customer behavior; the inability of VeriSign to successfully develop and market new services; the uncertainty of whether our new services will achieve market acceptance or result in any revenues; system interruptions; security breaches; attacks on the Internet by hackers, viruses, or intentional acts of vandalism; and the uncertainty of whether Project Apollo will achieve its stated objectives. More information about potential factors that could affect the company’s business and financial results is included in VeriSign’s filings with the Securities and Exchange Commission, including in the Company’s Annual Report on Form 10-K for the year ended December 31, 2009, Quarterly Reports on Form 10-Q and Current Reports on Form 8-K. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this announcement.

This VeriSign news release was sourced from here.

VeriSign Launches New DNSSEC Signing Service

VeriSign logo[news release] VeriSign, Inc. launched a new, in-the-cloud service to ease the implementation of Domain Name System Security Extensions (DNSSEC). The VeriSign DNSSEC Signing Service is being offered to registrars to help them incorporate signing and provisioning into their infrastructure, while reducing costs, complexity and the administrative burden associated with implementing DNSSEC support for their customers.

DNSSEC provides an additional layer of security to the Internet by protecting against cache poisoning and man-in-the-middle attacks, in which forged data is used to redirect unsuspecting users to fraudulent websites and unintended addresses. DNSSEC is becoming essential to maintaining trust in the Internet; however, implementing DNSSEC can be a complex process.

Registrars can use the VeriSign DNSSEC Signing Service for the initial signing of second-level domain names (zones) as well as the periodic resigning and the ongoing management of keys associated with the DNSSEC protocol. Registrars will receive the benefits of a DNSSEC signing solution without investing in additional equipment and resources to sign and manage domains.

The VeriSign DNSSEC Signing Service leverages the company’s 15 years of experience in operating public key infrastructures and is run from within VeriSign’s secure facilities and network infrastructure. The service is ideal for registrars that host their own DNS, but are not ready to invest in the engineering and infrastructure needed to sign domain names (zones) or manage keys for DNSSEC.

“At VeriSign, we want to do everything we can to encourage the adoption of DNSSEC, which is an essential tool for securing the Internet,” said Pat Kane, Assistant General Manager of Naming Services at VeriSign. “This new service, which takes advantage of VeriSign’s strengths and core competencies, will help our registrar partners provide their customers the security they need in a straightforward and cost-effective manner.”

The VeriSign DNSSEC Signing Service performs the initial cryptographic signing, the regular re-signing of zone resource records and the ongoing management of key rollover schedules and the associated zone re-signing. The service is designed for registrars who provide DNS hosting and management services for their registrants without the additional complexity of signing and managing the keys associated with DNSSEC.

VeriSign is offering an evaluation period to its registrar partners to review the service in order to facilitate integration of DNSSEC into their services for registrants. The offer will run through the end of 2011.

About VeriSign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign enables companies and consumers all over the world to connect online with confidence. Additional news and information about the company is available at www.verisign.com.

Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 as amended and Section 21E of the Securities Exchange Act of 1934 as amended. These statements involve risks and uncertainties that could cause VeriSign’s actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as increasing competition, pricing pressure from competing services offered at prices below our prices and changes in marketing practices including those of third-party registrars; the current global economic downturn; challenges to ongoing privatization of Internet administration; the outcome of legal or other challenges resulting from our activities or the activities of registrars or registrants; new or existing governmental laws and regulations; changes in customer behavior; the inability of VeriSign to successfully develop and market new services; the uncertainty of whether our new services will achieve market acceptance or result in any revenues; system interruptions; security breaches; attacks on the Internet by hackers, viruses, or intentional acts of vandalism; and the uncertainty of whether Project Apollo will achieve its stated objectives. More information about potential factors that could affect the company’s business and financial results is included in VeriSign’s filings with the Securities and Exchange Commission, including in the Company’s Annual Report on Form 10-K for the year ended December 31, 2009, Quarterly Reports on Form 10-Q and Current Reports on Form 8-K. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this announcement.

This VeriSign news release was sourced from the VeriSign website here.

.CO Announces Domain Compliance Process and DNSSEC Tests

.CO Internet logo.CO announced this week the official launch of its “Rapid Domain Compliance Process,” which gives the registry the tools it needs to quickly bring “into compliance” any domain name that is being deployed for fraudulent, malicious or illegal purposes as well as it will begin testing DNSSEC in January.

More details in the .CO Internet S.A.S. news release below:

.CO Registry Announces Two Major Domain Security Initiatives

Plans for DNSSEC Implementation Unveiled; Rapid Domain Compliance Process Launched

.CO Internet S.A.S., the registry operator for the .CO domain, has today announced two major domain security initiatives that reaffirm its commitment to implementing measures to proactively combat domain name abuse, and will help to make .CO one of the safest, most secure domain extensions on the Internet.

Commencing in January, .CO will begin testing Domain Name System Security Extensions (DNSSEC) ahead of an expected full implementation in the first half of 2011.  DNSSEC is a suite of specifications for securing certain kinds of information provided by the Domain Name System (DNS) that is designed to protect the Internet from certain types of attacks, such as DNS cache poisoning.  It will eventually allow Internet users to know with certainty that they have been directed to the precise website they intended to reach.

Additionally, .CO Internet has announced the official launch of its “Rapid Domain Compliance Process,” which gives the registry the tools it needs to quickly bring “into compliance” any domain name that is being deployed for fraudulent, malicious or illegal purposes.  Leveraging the industry-leading security monitoring labs of Neustar, its back-end technical services provider, and a newly published set of protocols and procedures, the .CO registry is able to gain critical intelligence and to take swift and decisive action to take down any .CO website that puts the safety and security of the registry, its registrars, registrants and/or Internet users at risk.

Commenting on the registry’s commitment to enhanced domain security, Eduardo Santoyo, VP & ccTLD Manager of .CO Internet, said: “In announcing our intention to implement DNSSEC and by bringing into effect our Rapid Domain Compliance Process, we are adopting a position of stewardship in relation to Internet security.”

Recognizing that security of the DNS is an industry-wide concern, Santoyo goes on to state that “while we are no more at risk than any other domain registry on matters relating to domain name abuse, we firmly believe that it is our responsibility to be proactive in the field, especially given the explosive worldwide growth that .CO has enjoyed to date.”

Since launching .CO globally in the second level on July 20th, 2010, more than 600,000 .CO domain names have been registered by individuals and businesses in close to 200 countries.

To learn more about the .CO Rapid Domain Compliance Process and/or stay up-to-date on the status of the DNSSEC test phase, please check back regularly on www.cointernet.co or contact us directly using the contact details provided.

About .CO Internet S.A.S.
.CO Internet S.A.S. is the Registry Operator for the .CO top-level domain.  The .CO domain offers individuals, organizations and businesses a truly global, recognizable and credible web address for branding their online presence. Thanks to leading-edge technology, enhanced security and unprecedented rights protections, the .CO domain is poised to become the premier web address enabling secure Internet commerce and inspiring 21st Century entrepreneurship.  For more information about the .CO Registry, please visit www.COinternet.co and www.Opportunity.co — or follow us on Twitter @dotCO.

This news release was sourced from:
www.cointernet.co/media/press-releases/co-registry-announces-two-major-domain-security-initiatives

America Registry logoTo register your .CO domain name, check out America Registry here.

DNSSEC fully operational for .BE

DNS BE logoAs from 4 October .be domain names can be signed with DNSSEC

Through their registrar, all .BE registrants can attach DNSSEC key material to their .BE domain names, thereby completing the chain of trust all the way up to the root zone.

Anyone visiting a website using a DNSSEC signed domain name can be confident to reach the requested website.

As of now DNS.be will encourage .BE domain name holders and their registrars to sign .BE domain names with DNSSEC.

DNSSEC was designed to protect users from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed using public-key cryptography. By checking the digital signatures, a DNS resolver is able to check if the information is identical to the information on the authoritative DNS servers.

About DNS.be

DNS.be is a not-for-profit organisation established in February 1999 by ISPA Belgium (Internet Service Providers Association), Agoria and BELTUG (Belgium’s communication technology and services user Group). Our aim is to register .BE domain names, to make the Internet more accessible and to support its usage.

This DNS.BE news release was sourced from:
www.dns.be/en/home.php?n=454

Europe Registry logoTo register your .BE domain name, check out Europe Registry here.

DNSSEC Deployment Commences for .FR

AFNIC logoThe deployment of DNSSEC in the .FR (France) ccTLD by AFNIC commenced on 14 September. The next steps will see deployment of DNSSEC pursued by DNS servers, administrators, registrars and ISPs.

DNSSEC is a protocol designed to help secure the DNS against attacks by cache poisoning. The purpose of such attacks is to capture and divert requests without users realising it, the risk being that users may disclose personal data in the belief that they are on the legitimate site.

In the next few days, the public key associated with the .FR TLD will be published in the root servers. As of next week, AFNIC will start consultations with the registrars, in order to set up the system enabling them to publish the signature information for domain names under .FR, such as afnic.fr.

The work of AFNIC will then continue with the set-up of training and assistance services for registrars and DNS server administrators wishing in turn to deploy DNSSEC. For their benefit, AFNIC is also publishing a comprehensive issue paper devoted to DNSSEC issues and operation, with the questions to ask in order to prepare its deployment.

Finally, from September 20th, onwards, AFNIC will be releasing version 3 of “ZoneCheck”, its DNS configuration test tool, a free software tool that integrates DNSSEC configuration tests, and is available on www.zonecheck.fr.

For more information in French and English on the deployment of DNSSEC in the .FR ccTLD, see the AFNIC website at www.afnic.fr.

Europe Registry logoTo register your .FR domain name, check out Europe Registry here.

Afilias secures .INFO domain with DNSSEC

.info logoDeployment of Domain Name System Security Extensions improves global security for .INFO

[news release] Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for the .INFO top-level domain (TLD). .INFO was officially signed on September 1, 2010 and its Delegation Signer (DS) records were entered into the DNS Root by the Internet Assigned Numbers Authority (IANA) on September 4th, allowing the .INFO zone to be validated using DNSSEC. The signing of the .INFO domain enhances global security for the seventh largest TLD in the world, home to more than 6.5 million registrations.

“The deployment of DNSSEC for .INFO continues Afilias’ long-standing commitment to ensure security in the domain name system,” said Ram Mohan, Executive Vice President and Chief Technology Officer for Afilias. “Once fully deployed in .INFO, DNSSEC will provide a trusted foundation to authenticate DNS queries and responses and prevent DNS hijacking.”

DNSSEC protects the DNS from cache poisoning exploits which can allow malicious entities to intercept an Internet users’ request to access a website, and redirect or eavesdrop on the user without their knowledge, and with no ability to reassert control. DNSSEC introduces digital signatures to the DNS infrastructure and automatically ensures that users are not hijacked and taken to an unintended destination.

While Afilias completed the largest registry DNSSEC deployment on behalf of the Public Interest Registry when it enabled DNSSEC for .ORG in 2009-2010, the signing of the .INFO zone represents the first step in Afilias’ recently announced “Project Safeguard” initiative, which will rollout DNSSEC across its registry and DNS platforms. Project Safeguard also includes an education and training program for Registrars to enable DNSSEC in their registration systems for website owners who intend to add DNSSEC signatures to their individual domains.

Now that the TLD is signed, Afilias will activate a “friends and family” period that will allow the public to gain experience with a select group of .INFO second level domain names that have also been signed. Shinkuro Inc. and Comcast have agreed to participate in this testing period.  The list of “friends and family” domains includes: afilias.info, info.info, shinkuro.info, comcast.info, and 19 other domains from Comcast.

Later this year Afilias will be enabling DNSSEC for many of the other TLDs that it supports, in total adding DNSSEC for 13 more TLDs before the end of 2010. For more information on Comcast’s participation, please see their DNSSEC Information Center:  www.dnssec.comcast.net/

About .INFO

.INFO was the first generic, unrestricted TLD to be launched since .com and is the most successful new TLD launched in over 25 years. Registrations in .INFO first became available in 2001. Since then, .INFO has grown to become the fourth largest gTLD in the world with over 6 million domain names registered. .INFO Domains are currently available in ten Internationalized Domain Name (IDN) scripts. For more information on .INFO please visit www.info.info/ .

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.

This Afilias/.INFO news release was sourced from:
www.afilias.info/news/2010/09/09/afilias-secures-info-domain-dnssec
www.info.info/news/2010/09/09/afilias-secures-info-domain-with-dnssec

America Registry logoTo register your .INFO domain name, check out America Registry here.

DENIC Name Server Checks Now Featuring DNSSEC Functions

DENIC logo[news release] On its website, a specific interface exists which provides any user access to a tool for independently checking domain delegations in the way they are automatically verified by default by the DENIC registration system. This tool facilitates the delegation of second level domains under the German TLD .de. Moreover, it helps to avoid errors during the initial setup which may result in failures in case of domain deletions or even disturbances of entire network sections. The so-called Nameserver Predelegation Check is freely accessible to the public at www.denic.de/en/background/nast.html.

At the end of August, DENIC’s web surface for name server checks was extended by DNSSEC-specific checks. Users can deliberately activate this additional tool to test the technical parameters of DNSKEY records and to verify if the related signatures can be applied for validation. The checks have been active in the production environment for quite some time already. They are described in detail in the documentation DENIC-23, which also lists the system requirements. You will find the documentation under the aforementioned URL.

DNSSEC-specific tests can be executed with both domains already participating in the running testbed for .de and domains waiting to be registered in the testbed.

To enable users to carry out the relevant checks in their local systems, DENIC also provides an open source version of the related Name Server Test software (NAST) for download at the same URL. The software supplies detailed debugging information for individual search runs, if required.

This DENIC news release was sourced from:
www.denic.de/en/denic-in-dialogue/news/2913.html?cHash=4acc297130

Europe Registry logoTo register your .DE domain name in full, check out Europe Registry here.

Afilias To Expand DNSSEC Deployment To .INFO and 12 Others

Afilias logo.info logoAfilias has announced it will deploy Domain Name System Security Extensions (DNSSEC) across its registry platforms, signing 13 more top level domains (TLDs) it operates including .INFO and increasing DNSSEC deployment among domain registries by 50 percent.

“Afilias has been a leader in DNSSEC deployment, including working closely with .ORG to plan, design and implement the .ORG DNSSEC strategy as early as 2007,” said Ram Mohan, Executive Vice President and Chief Technology Officer for Afilias.

“We are pleased to introduce DNSSEC across our registry and DNS platform, protecting TLDs in our care from DNS cache poisoning and man-in-the-middle attacks, while maintaining consistency and convenience for registrars and their customers.”

In addition to .INFO, Afilias will deploy DNSSEC to .IN (India) and .ASIA by the end of 2010. In 2011, Afilias intends to deploy DNSSEC to the other TLDs it operates: .AERO, .AG (Antigua and Barbuda), .BZ (Belize), .GI (Gibraltar), .HN (Honduras), .LC (St Lucia), .ME (Montenegro), .MN (Mongolia), .SC (Seychelles) and .VC (St Vincent and the Grenadines).

DNSSEC development began in the early1990s, but only recently became ready for broad deployment as an additional security measure to protect the DNS from cache poisoning exploits. Recently referred to as the Kaminsky bug, this exploit can allow malicious entities to intercept Internet users’ requests to access a website, and redirects or eavesdrops on these users without their knowledge, and with no ability to reassert control. DNSSEC introduces digital signatures to the DNS infrastructure and automatically ensures that users’ are not hijacked and taken to an unintended destination.

To deploy DNSSEC for these additional TLDs, Afilias is introducing a new global strategy, launched under its “Project Safeguard” initiative. Project Safeguard includes a registry and DNS infrastructure upgrade across Afilias’ global technology platforms to support DNSSEC. It also includes a year-long registrar training initiative to address technical issues concerning implementation of DNSSEC in registrar-registry transactions.

As part of Project Safeguard, Afilias conducted research across domain name registrars to understand the issues they face with DNSSEC deployment. Afilias’ Registrar DNSSEC Readiness Report found that:

  • Registrars think DNSSEC is a good idea, but are not yet fully prepared to offer consumer services. 80 percent of registrars believe that top-level domain (TLD) registries should offer DNSSEC. However 90 percent of registrars currently feel completely unprepared or only somewhat prepared to actually offer DNSSEC services to their customers as this time
  • 69 percent of Registrars plan to offer DNSSEC services in 2011 or beyond. 32 percent have no plan to introduce DNSSEC within the next 12 months
  • Consumer demand is the biggest challenge for registrars. 56 percent cite a lack of consumer demand as their biggest challenge impeding their DNSSEC implementation
  • Registrars also cite issues with deploying DNSSEC technology:  For example, nearly 20 percent cite the management of DNSSEC keys as their number one concern, followed by more than 18 percent that cite overall DNSSEC technology and expertise.

“Our goal is to help registrars navigate the challenges of enabling the next generation of Internet security with DNSSEC, by providing a simple and singular enablement process to easily deploy DNSSEC across Afilias-supported domain registries,” said Mohan. “The Project Safeguard initiative should ease the technical burden of DNSSEC deployment and could spur user adoption.”

Europe Registry logoTo register your .INFO or any other domain name, check out Europe Registry here.

.AU To Get More Secure with DNSSEC

AuDA (.au Domain Administration) has announced the launch of a phased plan for the deployment of Domain Name System Security Extensions (DNSSEC) in the .AU domain.

The plan, developed in conjunction with the .AU registry operator, AusRegistry, outlines a five-stage process to introduce DNSSEC into .AU and its second-level zones (com.au, net.au etc).

“When the Internet was first developed, it was designed to be massively scalable, not inherently secure” said auDA’s CEO, Chris Disspain. “DNSSEC can provide an extra level of security to help ensure that Australian Internet users will be directed to the website or service they expect when they enter a domain name into their browser.”

“Once the .AU zone and its second level zone are signed, it will be up to ISPs, registrars and corporate entities with a significant web presence to extend the reach of DNSSEC to the end user” said Disspain.

“Given there are no immediate commercial incentives for them to do so, auDA believes that the Australian Government will play an important role in helping to deliver the message about the importance of DNSSEC for the security of Australia’s internet infrastructure.”

The implementation plan, scheduled to commence in September, allows for:

  • experimentation and testing of core systems
  • the gradual “signing” of second level .au domains and the .au TLD
  • a trial implementation for .AU domain registrants
  • full production rollout to registrants.

At the end of each stage, a review will be undertaken by auDA’s independent Security and Stability Advisory Committee (SSAC), chaired by Professor Bill Caelli from the Queensland University of Technology.

DNSSEC is a security extension that facilitates the digital signing of internet communications, helping to ensure the integrity and authenticity of transmitted data. Once fully implemented, DNSSEC offers additional protection against a range of vulnerabilities such as cache-poisoning, man-in-the-middle attacks and the Kaminsky exploit.

Given DNSSEC operates via a chain-of-trust, it will be most effective once every element between the Internet’s core infrastructure and the end user is DNSSEC-enabled. Accordingly, the fifth stage of the implementation plan will be the active encouragement of Australian ISPs and domain name registrants to adopt DNSSEC.

Asia Registry logoTo register your .AU domain name, check out Asia Registry here.