Tag Archives: DNSSEC

New DNSSEC Signing Facilities Live at ICANN

ICANN logoICANN’s commitment to the deployment of Domain Name System Security Extensions (DNSSEC) continues with the launch of the Generic Signing Infrastructure (GSI).

After several months of testing the operational aspects of the GSI, ICANN engineers executed the maintenance procedure to publish a signed ICANN.ORG domain on March 11, 2010 at 0400 UTC.

The GSI has been designed as a high-security, high-availability service suitable for use in managing the DNS zones that ICANN maintains. Built around the community-driven “OpenDNSSEC” project, the GSI includes the use of “FIPS 140-2 level 4” validated Hardware Security Modules (HSMs) with signing hardware protected within “class 5 GSA-rated” safes. These certifications are defined by the US Government to specify some of the highest levels of operational and physical security generally available.

The GSI is split between two locations, one on each coast of the USA, with either site available to perform signing operations in the event that other site is unavailable.

Once reliable production service with the ICANN.ORG domain has been confirmed, the GSI will be available to sign the other zones ICANN maintains such as IN-ADDR.ARPA and IP6.ARPA.

To read a presentation on OpenDNSSEC from ICANN’s 2009 Sydney meeting, go here: syd.icann.org/files/meetings/sydney2009/presentation-open-dnssec-22jun09-en.pdf

To read the transcripts and presentations from a session on DNSSEC at the Nairobi International Meeting on March 10, 2010, go here: nbo.icann.org/node/8924.

This ICANN news release was sourced from:
icann.org/en/news/releases/release-17mar10-en.pdf

DNSSEC Edges Closer for .DE

DENIC logoThe “DNSSEC Testbed for Germany” has entered a decisive phase: as of 2 March 2010 DENIC has given all second level domains under .DE the opportunity to participate in the DNSSEC testbed and to record their experiences.

In this process, DENIC initially registers the Key Signing Keys used as Trust Anchor, and then publishes the corresponding DS records in the .de zone accessible in the testbed. Thus, for the first time, the participants in the testbed will receive DNSSEC-secured responses for the second level domains involved. This is a considerable improvement compared with the previous status.

After having successfully implemented the signed version of the .DE zone in the testbed environment in January, DENIC now makes available in the second phase of the project interfaces for registering and administering the key material of the delegated .DE domains. These new features are also supported by the information services “whois” and “domain query”.

To be able to participate in the testbed, domain holders must use a DNSSEC-capable name server software for their domain. This is an essential prerequisite. At the present moment, the implementation is primarily suited for domain holders who operate their own name servers. As in domain registration and administration, the Key Signing Key is registered by the Internet service provider or domain registrar who administers the domain. Thus, interested domain holders are requested to contact their providers directly and to consult them about their personal options for using DNSSEC.

Within the next months, DENIC will clarify technical and operational questions in detail together with the testbed participants. The goal is to gain additional important knowledge with the support of a large number of participants – also new ones – and to design workflows and procedures in terms of practical suitability.

You will find more detailed information about the DNSSEC testbed and how to actively participate in it on DENIC’s special webpages. Additionally, DENIC has established a testbed mailing list to which you can subscribe via the link mailinglists.denic.de/mailman/listinfo/dnssec-testbed-l. This list serves as a platform for mutual technical support and for exchanging experience.

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

Swiss Among World Leaders in Enabling DNSSEC

SWITCH, the registry for .CH and .LI domain names, enabled DNSSEC on day two of the annual Domain Pulse conference in Luzern yesterday. SWITCH became the third ccTLD registry to enable DNSSEC giving registrants of .CH domain names added security following .SE (Sweden) and .CZ (Czech Republic).The added security for internet users allows for a more secure internet, especially important for banks and other financial services providers, for example.At the Domain Pulse conference, Urs Eppenberger of SWITCH and Marc Furrer of the Swiss Federal Communications Commission (ComCom) enabled DNSSEC.Furrer said he was very pleased with the efforts of SWITCH to be playing a leading role in the implementation of more secure internet communications and commerce.”I am particularly proud of the fact that Switzerland is one of the first countries in Europe to introduce DNSSEC. This now guarantees security in the internet” said a delighted Marc Furrer, President of ComCom, in a statement.Meanwhile DENIC is on schedule to prepare a test bed for registrars and this phase will run until 2011, said Sabine Dolderer, the company’s CEO.However nic.at will not be introducing DNSSEC in 2010, said Richard Wein, CEO of nic.at. Wein believes there is not yet the demand or the market for it in Austria (.AT) at the moment, but like DENIC, nic.at will be watching developments closely in the .CH ccTLD closely. Nic.at will be preparing for DNSSEC internally to have it ready for deployment when there is a demand.Nic.at is also preparing an innovative business model to allow internet companies from registries, and in particular those planning to apply for new generic Top Level Domains (gTLDs), registrars, banks and others demanding a high level of security, to use their infrastructure. It is planned to have this finalised in the summer of 2010.Among other presentations included Steve Gobin from ICANN who spoke of the new Registrar Accreditation Agreement while Simon Kopp of Kantonspolizei Luzern spoke about Fit4Chat , an initiative of the Luzern canton’s police department to help parents and children deal with unwanted contact from strangers, and in particular older adults, online.There was also a presentation on internationalised domain names (IDNs) from Leonid Todorov from the Coordination Centre for TLD RU who explained the difficulties for Russian users in having to use only Latin characters for domain names. With a very small number of English speakers, especially in the more remote regions, and n o adequate Latin/Cyrllic script translation, particularly relating to international trademarks, the introduction of IDNs will be of huge benefit to internet users in the country.The 2011 Domain Pulse conference will be held in Vienna, Austria, from 17 to 18 February which will more or less coincide with the predicted one millionth .AT domain registration milestone.Videos and slides of all presentations, mostly in German, are available on the Domain Pulse website at domainpulse.ch although without simultaneous translations as occurred during the meeting.

Domain Name Security Gains Prominence in German-Speaking World

The 2010 Domain Pulse, hosted by SWITCH (the .CH registry) was held in the snowy Swiss city of Luzern. Domain Name Security (DNS) was of particular importance in this year’s meeting with DNSSEC being implemented in the root zone in 2010 by ICANN, and by many registries in the next few years.ICANN plan to have all root servers signed with DNSSEC by mid-2010 Kim Davies, Manager, Root Zone Services at ICANN told the meeting on Monday, starting with the L root server, then A root server with the last being the J root server as all are gradually signed.ICANN has taken a conservative approach to deploying DNSSEC to ensure there are no mistakes in its implementation, said Davies.Meanwhile a discussion on the registration of domain names that are responsible for illegal content, such as phishing or child pornography, was hotly discussed.A discussion with lawyers from Germany, Austria and Switzerland said in varying degrees that when it is difficult to contact the domain registrant, that using the registrar as a means of deleting the domain name was justified.All three lawyers, Clara-Ann Gordon (Switzerland), Dr. Boris Uphoff (Germany) and Michael Pilz (Austria) said that when it is difficult to contact the domain registrant, that using the registrar as a means of deleting the domain name.Difficulties can often occur in the event of such a domain name registration when the registrant includes false registration information.The registries, represented by their legal counsel Stephan Welzel (DENIC), Barbara Schlossbauer (nic.at) and Nicole Beranek Zanon (SWITCH) took this discussion further and explained what happens when there are difficulties in contacting registrants such as when there is illegal use of the domain name, such as illegal content.In the case of phishing, in Austria if the registry is certain the content is legal the domain name is deleted, in Germany the domain name is not deleted as they believe the domain name is not the problem but the content is while in Switzerland they temporarily block the domain until the legal situation is sorted out.Videos of all presentations, mostly in German, are available on the Domain Pulse website at domainpulse.ch although without simultaneous translations as occurred during the meeting.

AFNIC invites network managers to prepare for the signing of the DNS root in May 2010

AFNIC logo[news release] From May 2010, all the root servers on which the working of the domain name system depends, will be giving DNS responses signed by using the DNSSEC protocol.

This evolution aims for increasing the confidence in DNS responses (by authenticating their origin); administrators of networks connected to Internet should be aware that this evolution could cause some service disruptions.

In fact, the changes in the root server configuration could lead to a DNS disconnection risk, and therefore disruption of Internet service in certain cases.

AFNIC’s advice

1. Check whether your network, as well as your DNS service, could be concerned by this potential dysfunction, on a machine where the dig software is set up:

dig +short rs.dns-oarc.net txt

2. Check that the response indicates more than 1500 bytes. For instance:

“203.0.113.1 DNS reply size limit is at least 4023 bytes”

3. Analyze the whole network and the intermediate equipments (firewalls), then make sure that everything has been properly configured, in case the tests indicate that the packets which are bigger than 1500 bytes can’t get through.

4. Another alternative, if you do not have a simple DNS client like dig:
<labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues>

This tool, developed by the RIPE-NCC, requires Java.

5. For end users (company, university or domestic ISP subscriber), please check with your ISP.

Technical background

The DNS root is signed with the DNSSEC technology. In 2010, the root servers will start giving signed responses. From next May , the 13 root DNS servers will send the DNSSEC information. This includes cryptographic signatures, whose size is about five to ten times the standard DNS responses size. These signatures will exceed the DNS 512 bytes previous limit, and sometimes, even the 1500 bytes of the Ethernet MTU (“Maximum Transmit Unit”), the most widely used on Internet.

In fact, RFC 2671, which extended the 512 bytes limit, was published in August 1999, and is more than ten years old. There are still some firewalls or other network equipments, which are badly designed or not properly configured, and will reject the DNS responses more than 512 bytes long.

Among the equipments which accept longer responses, some of them don’t correctly handle the IP packet fragmentation (For instance: because they may block all the ICMP packets) and therefore, they cannot receive DNS packets larger than the MTU (generally 1500 bytes).

Some of the networks which reject DNS packets larger than 512 bytes, or even the ones which only reject those longer than 1500 bytes, will no longer be able to “communicate” with the DNS root after May 2010 (Indeed, this means that they will no longer get any response); and therefore, they will practically be unable to access to Internet

Glossary:
DNS: en.wikipedia.org/wiki/Domain_Name_System
DNSSEC: en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
ICMP: en.wikipedia.org/wiki/Internet_Control_Message_Protocol
MTU: en.wikipedia.org/wiki/Maximum_Transmission_Unit

ROOT: the set of servers spread around the world, and upon which the domain names system relies. These servers have a key role in dispatching the requests to the right name servers of the relevant TLD (Top-Level Domain) such as .fr or.com.

Some useful links:

– The root signing plan announcement
<www.ripe.net/ripe/meetings/ripe59/presentations/uploads/presentations/Tuesday/Plenary%2014:00/Abley-DNSSEC_for_the_Root_Zone.mId7.pdf>
– The official website for the signing project
<www.root-dnssec.org/>, with the roll-out timetable
– Instructions for a root server
<labs.ripe.net/content/preparing-k-root-signed-root-zone>
– Can your DNS server accept any size packet (in French)?
<http://www.bortzmeyer.org/dns-size.html>
– A French language mailing list about the DNS, where you can
get support from peers
<https://listes.cru.fr/sympa/info/dns-fr>

-=-=-=-=-=-=-

About AFNIC

(Association Française pour le Nommage Internet en Coopération )

Non-profit organization, AFNIC is in charge of the administrative and technical management of the .fr (France) and .re (Reunion Island) Internet domain names.
AFNIC brings together public and private members: representatives from the French government, Internet users and Internet Service Providers (Registrars).

For further information, see www.afnic.fr/afnic/presentation

Europe Registry logoTo register your .FR domain name, check out Europe Registry here.

This AFNIC news release was sourced from:
www.afnic.fr/actu/nouvelles/240/afnic-invites-network-managers-to-prepare-for-the-signing-of-the-dns-root-in-may-2010

DNSSEC Deployment in Root Zone of DNS Begins at ICANN

ICANN logoThe collaboration between ICANN, the Commerce Department’s National Telecommunications and Information Administration (NTIA) and VeriSign, Inc. to deploy DNSSEC in the root zone of the Domain Name System (DNS) passed an important milestone today. DNSSEC information is now being served by L-Root, one of the Internet’s 13 root servers, operated by ICANN.

The DNS is vitally important to the proper operation of almost all services on the Internet, and the deployment of DNSSEC in the root zone is the biggest structural improvement to the DNS to happen in twenty years. The deployment of DNSSEC is proceeding with widespread involvement of the Internet’s technical community, and is being carefully staged so that any unintended consequences of the deployment can be identified and mitigated promptly.

ICANN engineers executed a maintenance procedure to introduce DNSSEC data into L-Root between 1800-2000 UTC on 27 January 2010. The maintenance was completed as planned. The reaction of the root server system as a whole to the change is being closely monitored, with root server operators performing extensive data collection to be analysed centrally. The data collection and analysis is being coordinated by DNS-OARC, the Domain Name System Operations Analysis and Research Center.

Other root server operators will execute similar maintenance procedures in the coming months. Deployment of DNSSEC is proposed to be completed in July 2010.

For more information about the deployment of DNSSEC in the root zone, including details of how to contact the deployment team, please visit www.root-dnssec.org.

This ICANN announcement was sourced from:
icann.org/en/announcements/announcement-27jan10-en.htm

DENIC Goes Ahead in the Signed DNSSEC Zone

DENIC logoThe DNSSEC testbed for Germany has met another milestone of its roadmap: Exactly as planned, DENIC made available the signed version of the .de zone in the DNSSEC test environment on 5 January 2010. What does this mean precisely?

1. DENIC will sign the respective current .de zone version of the production environment once a day and make it available in the DNSSEC test environment for DNS queries.

2. The two name server clusters in Frankfurt (81.91.161.228) and in Amsterdam (87.233.175.25) will answer DNS queries including DNSSEC data as authoritative and non-recursive name servers.

3. You will find instructions how to redirect queries for the .de domains for diverse resolvers in separate configuration examples.

4. As regards validating resolvers, the set-up now allows that the Trust Anchor is configured for the .de testbed. The Trust Anchor is a copy of the public section of the Key Signing Key that is communicated to the resolver as the Trusted Key. This Trust Anchor or Secure Entry Point is published on an https-secured webpage.

de.             86400   IN      DNSKEY  257 3 8 (
AwEAAZ1FqQED8QBrk3Jk4q96lggh4uiwlbdbZ0posfIgcaJJqfTNBfEhn6PEPqqRP
73libD55vujfYzKMN0fVd34wrdOpSTpMbw+oqQpJyecfGVYH1fnqws23n5QE03/
7SN98O8Cm+HBpB66JurTHWD3f4es8IUoumb/SXY44qb+oqWfmM3wS8aQVA5
d2gHpKrRIPlDHA/MB3FHGL64VpfV8KJ76kp1RBthR7Y0qalTskOouVeCOEa7gUiIl
jt1kTf64HFGsRi11klpCHBjtTiTg7MFN25nASuhbyTmWlRxPyg79BK7EDQ+tAe09N
YkS1P7tOe8ola9IpQHTWO6ttTmSnyE= )

This  Key Signing Key will remain valid until revoked. Any scheduled key changes will be announced with due notice.

5. In addition to the 2048bit Key Signing Key, a 1024bit Zone Signing Key will be used, which will be changed every five weeks. Both keys generate signatures in accordance with the standardized RSA/SHA256 procedure as specified in RFC5702.

6. The .de zone is signed with opt-out, using NSEC3 records according to RFC5155.

Further details about the technology and the signing procedure will be explained in the second DNSSEC Testbed Meeting. It will take place on 26 January 2010 at the DENIC head office in Frankfurt. Places are still available.

On 2 March 2010, the DNSSEC testbed will enter the next phase. From then on, it will be possible to record key material in form of DNSKEY with delegated .de domains in the registration database. Delegated second level domains may also participate in the testbed.

This DENIC news release was sourced from:
www.denic.de/en/denic-in-dialog/news/2457.html?cHash=e05ad63200

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.