Tag Archives: DNSSEC

DNS Gains Added Security with Root Servers Signed With DNSSEC

The deployment of DNS Security Extensions (DNSSEC) and internet security took a major step forward this week when the root zone was digitally signed for the first time. This marked the deployment of the DNSSEC at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers.The move to sign the DNS root servers follows the move by TLDs who have announced they have signed their individual zones. These include .ORG and .EU (European Union) at the recent ICANN meeting in Brussels and .CH (Switzerland) earlier this year, among others.The DNS Security Extensions, DNSSEC, extends standard domain name security to prove data came from an authoritative source and has not been modified, thwarting the so called ‘man-in-the-middle attack’ and enabling the development of more secure internet applications and transaction processing, said the Internet Systems Consortium, who operates the largest of the 13 DNS root servers (F-root), in a statement. DNSSEC adds new resource records and message header bits which can be used to verify that the received DNS data matches the original data, and has not been altered in transit.Paul Vixie, President and CEO of ISC stated, “We are very happy with today’s achievement! The signing of the root is the catalyst needed for further deployment of DNSSEC, particularly in the TLD registries.””ISC has been intimately involved with the development of DNSSEC for more than fourteen years and we have been unwavering advocates of DNSSEC deployment. We applaud the efforts of ICANN and the Department of Commerce in achieving this momentous milestone and encourage other DNS data providers to do the same.”For more detailed reports, see:

.ORG and .EU Deploy DNNSEC for Greater Web User Security

The 38th ICANN meeting currently underway has seen both the Public Interest Registry and EURid both announce separately they will be deploying Domain Name System Security Extensions (DNSSEC) for the .ORG and .EU top level domains respectively. The move will see increased security for visitors to websites for the two TLDs.In a press conference held today, the Public Interest Registry said they are the first large TLD (with over eight million registrations) to implement DNSSEC. The first domain name to be signed with DNSSEC was isoc.org.Meanwhile on Monday EURid announced it has deployed DNSSEC.As EURid explained, DNSSEC is a protocol that verifies and validates name server responses from the bottom up through a chain of trust, thereby making the domain name system more secure. It can prevent hackers from intercepting web traffic and redirecting it to fake websites that can trick people into supplying personal information, such as a counterfeit Internet banking site that looks like the real thing.”At this time, few top-level domain registries support DNSSEC, but we encourage all in the community to help Internet users by embracing this protocol,” comments Marc Van Wesemael, EURid’s General Manager. He also noted that the DNSSEC protocol is an important achievement for EURid, which is constantly striving to improve the security of the domain names it administers.DNSSEC though does not come cheap, but there are many benefits to consumers. DNSSEC will enable consumers to be certain they are visiting a legitimate site, something that is especially important for banks and even charities who have found there are people who will register domain names and establish websites to take donations, especially in the case of disasters as they happen around the world.As Alexa Raad, CEO of .ORG, said at the ICANN meeting, being an early pioneer means it was more expensive to deploy DNSSEC, something she described as” not inexpensive”.Raad said DNSSEC deployments for .ORG will see registrars able to ensure safer access to websites with three registrars making DNSSEC available to their customers and another twelve in the pipeline.”Motivation for doing this is to lead the industry and it need not be a utopian vision,” said Raad but she also noted that it is not something that is likely to make a profit for .ORG.At the .ORG news conference was Steve Crocker, Co-Chair of ICANN’s DNNSEC Deployment Initiative. He said that it took 18 or 19 years to develop DNSSEC, “a lot longer than expected”. But it was something that had huge support and cooperation among industry players, something Dan Kaminsky described as being amazing.Looking to the future with new generic Top Level Domains (gTLDs) likely to be announced in the next one to years, the question of cost arose. But costs should fall significantly as the new technology is deployed and it is likely DNSSEC -of-the-box programmes will be developed to help existing and new registry operators implement DNSSEC. This will see costs reduce rapidly as the “technology is not inherently expensive” noted Crocker. The major costs have been in the development of the technology.To register your .EU or .ORG domain name, check out EuroDNS or Europe Registry.

.FI To Introduce DNSSEC

[news release] FICORA will introduce the Domain Name System Security Extension (DNSSec) for Finnish domain names. The security extension provides a powerful protection against forgery of domain names as well against other forms of attack. The introduction of the system guarantees that people using the internet are only shown the actual website that they intended to call up.

The security extension will be taken into production in the fi-domain name service in autumn 2010, but the testing of the system begins in summer 2010. At this point no measures are required from Internet users or domain name holders, but network operators are responsible for the introduction of the security extension. The service will be opened for the users of Finnish domain names in March 2011.

About DNSSec

DNSSEC (Domain Name System Security Extensions) is an extension to the domain name system, with the purpose of improving the information security of the name service. The name service can be compared to a telephone directory that covers the entire world, and every domain name (e.g. www.dnssec.fi) in this directory has been given a unique IP address (e.g. of its own.

When DNSSEC is in use, all responses to name service queries are digitally signed. This technology allows you to ensure that responses to name service queries come from the correct sender and that the information has not been modified en route. In other words, DNSSEC guarantees the integrity and origin of information.

A key pair, consisting of a public key and a private key, is needed in order to create a digital signature. The private key is kept secret and the holder alone has access to it. The public key is published in its own record in the name service. The digital signature can be verified by using the public key corresponding with the private key.

This news release was sourced from:

Europe Registry logoTo register your .FI domain name check out Europe Registry here.

Third DENIC DNSSEC Testbed Meeting Another Great Success

DENIC logo[news release] A whole kaleidoscope of hot topics and questions all around the protocol extension DNSSEC and the persistent great interest of the Internet community made the third .de DNSSEC testbed meeting at the premises of DENIC another success.

With roughly 60 attendants from the Internet industry and Internet associations a diversified forum of users and providers of services and hard- and software tools supporting DNSSEC met in the offices of DENIC to be informed about the latest developments for combating DNS spoofing, cache poisoning and zone walking and to use the opportunity for networking.

By now, the test infrastructure set up by DENIC has achieved most of the milestones of its roadmap: Already at the beginning of March, the critical phase was entered with the initial publication of DS-Key records in the signed test version of the .de zone. Logically, also the focus of the accompanying four-meeting series is shifting more and more to practical aspects. Besides information about the current status of the testbed provided by the persons responsible for the project at DENIC, the central issues of the technical presentations of yesterday’s second-to-last DNSSEC meeting thus were the experience made and progress achieved by the DNSSEC users of the most different fields of the IT environment.

Elementary aspects and administrative processes still posing big questions for numerous TLDs also were central topics of vivid discussions: the security of NSEC3 resource records, the handling of domains that cannot be validated in error-prone zones, and, last but not least, the requirements to be defined for an appropriate policy for provider and/or DNS-operator changes under DNSSEC – all of them factors which are highly relevant to the praxis with regard to the global launch of the cryptographic protocol extension.

For reasons such as those mentioned above DENIC deliberately calculated the testbed for the generous period of 18 months from the very beginning. The declared aim of the project is to thoroughly analyze any potential operative and administrative risk and to develop substantial procedures on this basis which can be used as best practices within the scope of DNSSEC. Only long-term experience – so the credo – will provide valid results of secured practical suitability prior to launching the protocol extension in the productive environment at the start of 2011.

On 24 November 2010, the fourth and last DNSSEC testbed meeting will take place to report about the additional experience made and progress achieved with the .de zone by then. DENIC would be happy to welcome a large number of new interested parties who actively participate by operating their own domain(s) in the provided testbed, in order to have as broad as possible a basis for the final assessment of the testbed under cost-benefit aspects. By integrating the testbed in the production environment DENIC deliberately created very user-friendly conditions that make it easy to decide in favour of active participation.

Detailed information about DENIC’s latest DNSSEC testbed meeting and for all original papers, speaker profiles and live recordings of the presentations and discussions, are availlable online on the DENIC website.

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

Major Milestone for the Internet and ICANN with DNSSEC Enabled

Today in the small town of Culpeper, Virginia, ICANN technical staff played host to an unusual and somewhat arcane event. Volunteers from over ten countries made their way by plane, train and automobile to witness and participate in the generation of the cryptographic key that will be used to secure the root zone of the Domain Name System using DNSSEC for the first time.During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy. The ceremony was conducted with the goal of ensuring that there is widespread confidence throughout the technical Internet community that the root zone, once signed, can be relied upon to protect users from false information.Ceremony participants referred to an extremely detailed checklist and were able to confirm that every aspect of the process was executed exactly as planned. The entire event was video-recorded simultaneously by three separate cameras, and ICANN arranged for the whole system to be subject to a SysTrust audit, a process supported by the archived, unedited video footage and the legal attestations of key participants.The path down the long road to Culpeper has required considerable effort and investment by ICANN, and has benefited from an extremely productive collaboration between staff at ICANN, VeriSign and the US Department of Commerce. ICANN, with the help of some talented consultants, has designed processes that are thought to surpass those of many commercial Certificate Authorities not only in the degree of openness and transparency in their design and execution, but also in terms of the security engineering involved.The design of the overall system requires ICANN to execute a ceremony like this one four times per year. The next ceremony is scheduled to take place on July 12 in El Segundo, California, where ICANN has built a second facility intended to ensure continuity for the DNS (and hence Internet users world-wide) in the event of a serious disaster in one location.All design documentation for the ceremony will be published by ICANN, not only to promote transparency in the process for the root zone, but also to act as a valuable reference to any other organization that needs to build similar systems to support DNSSEC in top-level domains, enterprises, or anywhere else. The deployment of DNSSEC in the root zone of the DNS will hence not only act as a catalyst for global DNSSEC deployment because of the special nature of the root zone, but also because of the design and engineering investment ICANN is giving back to the wider community.This ICANN announcement was souced from:

ICANN’s First DNSSEC Key Ceremony for the Root Zone

ICANN logoThe global deployment of Domain Name System Security Extensions (DNSSEC) will achieve an important milestone on June 16, 2010 as ICANN hosts the first production DNSSEC key ceremony in a high security data centre in Culpeper, VA, outside of Washington, DC.

Secure data center in Culpeppper, VA  - location of first DNSSEC key signing ceremony

Secure data center in Culpeper, VA – location of first DNSSEC key signing ceremony

During the key ceremony the first cryptographic digital key used to secure the Internet root zone will be generated and securely stored.

Each key ceremony consists of a series of detailed procedures designed to allow the private key material for the root zone to be managed in a transparent yet secure manner. The goal is for the whole Internet community to be able to trust that the procedures involved were executed correctly, and that the private key materials are stored securely.

Security of the private key is important because it ensures that any signature made by that key is known to originate from a legitimate key ceremony, and not by an untrusted third party.

Each key ceremony will involve ICANN staff together with 14 volunteers known as Trusted Community Representatives (TCRs). Each TCR is a respected member of the technical Domain Name System (DNS) community in their home country. They are also unaffiliated to ICANN, VeriSign or the US Department of Commerce, and have been assigned a separate key management role within the ceremony. The involvement of these independent participants provides transparency of process — a successful key ceremony is only possible if the TCRs involved are satisfied that all steps were executed accurately and correctly. The ceremony and its associated systems and processes will also be subject to a SysTrust audit.

The deployment of DNSSEC in the root zone of the DNS provides benefits for those who publish information in the DNS, and for those who retrieve it. Top-Level Domain (TLD) managers and end-users alike will benefit from being able to publish and locate cryptographic key material (“trust anchors”) in the root zone. The root zone provides a consistent and convenient entry point to the security of the whole system.

A second key ceremony will take place in a second secure facility in Los Angeles in early July. By having two complete and independent facilities available, ICANN is able to ensure that key ceremonies can continue to occur in the event of an unexpected disaster in one location. Scheduled key ceremonies will take place four times annually, with two occurring in each location. Full deployment of DNSSEC in the root zone, using the key first generated in Culpeper, is scheduled to take place on July 15, 2010. Extensive documentation and related information about the project can be found at www.root-dnssec.org/.

This ICANN announcement was sourced from:

ICANN: Trusted Community Representatives Approach to DNSSEC Root Key Management

ICANN logoICANN, as the IANA functions operator, seeks to improve confidence and acceptance in the DNSSEC security mechanism among the wider Internet community by inviting recognized members of the DNS technical community to be part of the key generation, key backup and key signing process for the root.

As part of the joint effort to secure the domain name system (DNS) and the Root DNSSEC key management process currently under consideration, a number of persons acting as trusted representatives of the Internet community will be sought to participate in the root key generation and signing ceremonies. These persons are called Trusted Community Representatives (TCRs).

ICANN will select 21 TCRs and a number of candidate TCRs. Initially, this will be done on a provisional basis to determine the approach’s viability based on the success of the first Hardware Security Module (HSM) initialization and key generation that is scheduled for June 2010. The selection will be based on Statements of Interest, solicited from the Internet community at www.root-dnssec.org/tcr/. Persons considered affiliated with ICANN, VeriSign or the U.S. Department of Commerce may not become a Trusted Community Representative.

For more information: www.root-dnssec.org/wp-content/uploads/2010/04/ICANN-TCR-Proposal-20100408.pdf [PDF, 102 KB]

This ICANN announcement was sourced from:

.ORG to enable DNSSEC by June 2010

dot org logo.ORG domain names will have additional security enabled as of 30 June this year, the Public Interest Registry (PIR), the registry for .ORG, has announced. The registry says it intends to enable full DNSSEC deployment in the .ORG registry by accepting second level signed .ORG zones beginning in June of 2010. This positions .ORG as the first generic top-level domain (TLD) to offer full DNSSEC deployment.

There are approximately 7.5 million registered .ORG domain names and the deployment caps off a two-year testing period of DNSSEC.

“We applaud PIR’s leadership in the deployment of DNSSEC in the gTLD space,” said Rod Beckstrom, president and chief executive officer of ICANN. “Opening up general registration of signed zones in .ORG is a major step forward.”

All registrars can now plan to offer an additional security service to their customers. The benefits of DNSSEC include the ability to thwart the increasing predominance of attacks like pharming, cache poisoning, and DNS redirection that have been used to commit fraud, distribute malware, and/or identity theft. DNSSEC, an upgrade to the internet infrastructure, protects Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.

“This announcement, coupled with recent ones by Comcast, various ccTLDs and even ICANN, is an important signal not only for application providers, ISPs, and telcos, but also for registrars to begin planning their implementation and addressing the customers’ need for enhanced security,” said Alexa Raad, chief executive officer of PIR. “Ensuring Internet security and stability are among our highest priorities. Being the first to fully deploy DNSSEC positions .ORG registrants will be amongst the first to safeguard their users from escalating security threats, especially as Internet usage continues to grow exponentially.”

Launching signed delegations, with the technical support of Afilias, is the final step in PIR’s phased approach to fully deploying DNSSEC within the .ORG zone. A rigorous “friends and family” testing phase, started in June of 2008, has enabled PIR not only to thoroughly test and address operational and deployment issues related to zone management, key distribution and rollover, but also to assist registrars in the development and deployment of the service.

All interested registrars must pass a mandatory DNSSEC Certification Test. For more information regarding .ORG DNSSEC initiatives and information, please visit: pir.org/dnssec.

America Registry logoTo register your .ORG domain name, check out America Registry here.

DENIC Enables Registration of DNSSEC Key Material as from 2 March

DENIC logo[news release] The “DNSSEC Testbed for Germany” enters the decisive phase: As from 2 March 2010 DENIC gives also second level domains under .de the opportunity to participate in the DNSSEC testbed and to record the related key material. In this process, DENIC initially registers the Key Signing Keys used as Trust Anchor, and then publishes the corresponding DS records in the .de zone accessible in the testbed. Thus, for the first time, the participants in the testbed will receive DNSSEC-secured responses for the second level domains involved. This is a considerable improvement compared with the previous status.

After having successfully implemented the signed version of the .de zone in the testbed environment in January, DENIC now makes available in the second phase of the project interfaces for registering and administering the key material of the delegated .de domains. These new features are also supported by the information services “whois” and “domain query”.

To be able to participate in the testbed, domain holders must use a DNSSEC-capable name server software for their domain. This is an essential prerequisite. At the present moment, the implementation is primarily suited for domain holders who operate their own name servers. As in domain registration and administration, the Key Signing Key is registered by the Internet service provider or domain registrar who administers the domain. Thus, interested domain holders are requested to contact their providers directly and to consult them about their personal options for using DNSSEC.

Within the next months, DENIC will clarify technical and operational questions in detail together with the testbed participants. The goal is to gain additional important knowledge with the support of a large number of participants – also new ones – and to design workflows and procedures in terms of practical suitability.

You will find more detailed information about the DNSSEC testbed and how to actively participate in it on DENIC’s special webpages. Additionally, DENIC has established a testbed mailing list to which you can subscribe via the link mailinglists.denic.de/mailman/listinfo/dnssec-testbed-l. This list serves as a platform for mutual technical support and for exchanging experience.

This DENIC news release was sourced from:

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.