Tag Archives: Domain Name System Security Extensions

.VN Sees Domain Registration Growth of 8.3% in 2018 On Back Of New Online Registration System


IPv6 penetration grew by a quarter (25.85%) in 2018 to take Viet Nam’s ccTLD to 13th place globally for IPv6 adoption while domain names under management reached 465,890, an increase of 8.3% compared to the end of 2017. Since 2011, .vn has been one of top 10 ccTLDs for growth in the Asia Pacific.

The growth in registrations in 2018 came on the back of a new registration procedure and management system for .vn that came into effect in September 2018. The simplified registration process means it’s much easier for to register domain names in Viet Nam’s country code top level domain but still comply with Vietnamese regulations and laws.

The growth in IPv6 deployment of 25.85% means there are now more than 14 million IPv6 users including 6.5 million of FTTH subscribers and 3.1 million of mobile users. Viet Nam was ranked the second place in ASEAN, the 6th place in Asia Pacific and 13th place globally for the highest IPv6 adoption rate.

2018 also saw VNNIC, the .vn ccTLD registry, continuously improve the stable connection, security and safety for the national DNS .VN system and other critical information infrastructures operated by VNNIC. DNSSEC was extended to all national DNS servers and the national .vn DNS system is connected with DNS ROOT and international DNS systems.

By the end of 2018, the Viet Nam National Internet eXchange (VNIX) system had 20 members peering over exchange points in Ha Noi city, Da Nang city and Ho Chi Minh city with the total connection bandwidth reaching 269 Gbps. 13 of VNIX members deployed dual-stack network. Among them, CMCTI, VNPTNET and Viettel are 3 ISPs having the highest amount of traffic over VNIX which are 51GB, 50GB and 42GB respectively which increased by about 34% compared to their traffic over VNIX in 2017.

On 7 August, VNNIC maintained and extended the validity of the ISO/IEC 27001:2013 certification standard within the scope of operation and management of essential network systems in Viet Nam including the national DNS .VN system, the Internet eXchange system and Internet data centers (IDCs) in Ha Noi city, Da Nang city and Ho Chi Minh city.

In 2019, VNNIC plans include accomplish the Viet Nam National IPv6 Action Plan, continuously promote the use of internet resources in Viet Nam, and strengthen the security of critical information infrastructures including the national DNS .vn and VNIX system, improve the effectiveness of internet resources management policy and develop regulations for the auction of one and two-character .vn domain names and to innovate VNIX operating system following international standards.

ICANN: Request for Proposal: DNSSEC KSK Management Tools

ICANN is soliciting proposals to identify a provider that will develop and maintain software for its affiliate Public Technical Identifiers (PTI) that will replace the existing Domain Name System Security Extensions (DNSSEC) Key Signing Key (KSK) Management Tools. These tools comprise a critical component of the delivery of the IANA functions by PTI. The selected provider, in coordination with PTI, will be responsible for all aspects of development and implementation including design, programming, testing and configuration.

All deliverables must be created under formal guidelines with comprehensive documentation. The software will be published under an open source license and must incorporate industry best practices with documented test cases that will be shared with the Internet community.

The DNSSEC KSK Management Tools are a set of software utilities to manage the KSK life cycle, including processing Key Signing Requests (KSRs) and generating Signed Key Responses (SKRs), as part of executing the Root Zone KSK ceremonies.

PTI seeks a well-qualified provider to develop and maintain this new software based on provided requirements, to provide ongoing maintenance and to develop potential future enhancements. This software will help improve the efficiency and resiliency of management of the Root Zone KSK, which can also be leveraged by other DNSSEC practitioners in their operations.

For an overview of the RFP including the timeline, please click here [PDF, 182 KB]

Indications of interest should be emailed to DNSSEC.KSK.Management.Tools-RFP@icann.org. Proposals should be electronically submitted by 23:59 UTC on 10 October 2018 using ICANN‘s sourcing tool. Access to the ICANN org sourcing tool may be requested via the same email above.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-09-12-en

Annual IANA Functions, DNSSEC Audits Validate ICANN Systems Controls

ICANN logoICANN has completed audits of the IANA registry management systems and the Domain Name System Security Extensions (DNSSEC) services it provides. International accounting firm PricewaterhouseCoopers conducted the audits for the period of 1 December 2015 through 30 September 2016.

For the fourth consecutive year, a Service Organization Control (SOC) 2 audit of the IANA registry maintenance systems shows that ICANN has the appropriate controls in place to ensure the security, availability and processing integrity of IANA functions transactions.

For the seventh consecutive year, ICANN has achieved SOC 3 certification for its management of the DNSSEC root key signing key, which is the trust anchor of the domain name system. SOC 3 certification demonstrates that ICANN‘s root key signing key processes contain appropriate security measures, and that these processes have been executed as planned. The certificate is publicly available at http://iana.org/audits.

During the period, ICANN upgraded the physical security systems of the Key Management Facilities. “Physical security is an important line of defense to protect the root key signing key,” said Elise Gerich, ICANN‘s Vice President of IANA and Technical Operations. “The upgrade helped us stay SOC compliant and promotes the prevention and detection of unauthorized access.” Gerich also serves as President of Public Technical Identifiers, an affiliate of ICANN.

SOC audits evaluate an organization’s controls in relation to “trust services principles and criteria” managed by the American Institute of Certified Public Accountants.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation and a community with participants from all over the world. ICANN and its community help keep the Internet secure, stable and interoperable. It also promotes competition and develops policy for the top-level of the Internet’s naming system and facilitates the use of other unique Internet identifiers. For more information please visit: www.icann.org.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2017-03-02-en

Dutch Banks And ISPs Lag When Protecting Their .NL Domains With DNSSEC, But Government Makes Great Progress

SIDN-logoThe number of .nl (Netherlands) domain names protected by DNSSEC is approaching half (46%) of all registrations, but there are two sectors in particular that are lagging according to a recent support from the .NL registry SIDN. The banking sector with only 6% and ISPs with 22% of registrations are lagging behind other sectors when it comes to protecting domain names with DNSSEC.

A previous inventory in 2014 found that financial service providers, listed companies, government organisations and internet service providers were lagging a long way behind other sectors. Since then, the number of signed domain names in all the underperforming sectors has risen, but most remain disappointing compared with the pace-setters. Government organisations form an exception, however: they are doing much better than three years ago, rising from 11% of government websites being secured to 59% today, putting the government third in the sector league table.

Over the last two years, various new safety applications have been rolled out, which piggy-back on the DNSSEC infrastructure. As a result, DNSSEC has gone from being a technology-driven expense to being an enabler for key security applications designed to tackle phishing, spamming, spoofing and other email abuses.

In addition, the obstacles in the way of secure domain name transfers have recently been resolved. SIDN has developed a method that enables registrars all over the world to transfer domain names securely, by following a uniform procedure based on EPP (the Extensible Provisioning Protocol). Last week, the new method was formally adopted as a global standard by the Internet Engineering Task Force (IETF).

“Against that backdrop, it’s hard to think of any good reason for not implementing DNSSEC protection,” continues Meijer. “We believe that it’s now up to the big internet service providers to act. It’s really important that they get behind DNSSEC, because the protocol is only effective if ISPs commit to validating domain names’ digital signatures. Late last year, XS4ALL took the plunge and became the first national internet service provider to enable DNSSEC validation.”

For the DNSSEC Inventory 2017, SIDN analysed more than seven thousand domain names in four general sectors: financial services, the public sector, internet and telecom service providers, and listed companies. The analysis made use of the DNSSEC Portfolio Checker developed by SIDN labs.

DNSSEC involves the cryptographic protection of domain name information. It makes the internet’s ‘signpost system’ more secure and more reliable. If a domain name is secured with DNSSEC, people who want to visit the associated website are protected against being misdirected to a fraudster’s IP address. Without DNSSEC, there’s a risk that, despite entering the right domain name, people will end up on a fake site set up to trick them. DNSSEC also forms the basis for new applications, such as systems for making e-mail safer and easily sharing cryptographic keys for securing internet communications.

SGNIC introduces DNSSEC capability for .SG domain names

Singapore Network Information Centre SGNIC logo[news release] The Singapore Network Information Centre (SGNIC) has introduced the Domain Name System Security Extension (DNSSEC) as an optional, opt-in feature for .SG domain names. SGNIC encourages all .SG domain name registrants to enable the feature.

DNSSEC is a security feature which uses digital signatures to protect domain names from Domain Name System (DNS) spoofing attacks – i.e. attacks that redirect an Internet end-user to malicious sites rather than the intended site. It mitigates such spoofing attacks and complements other security protection mechanisms such as Secure Sockets Layer (SSL) certificates and two-factor authentications.

The DNSSEC security feature must be enabled by both .SG domain name owners and Internet Service Providers (ISPs) on their respective ends for it to work. To do so, .SG domain name owners must instruct their DNS hosting provider and domain name registrar to activate it. ISPs must also activate DNSSEC-recognition for their end-users. End-users will enjoy the same user experience, while having seamless protection.

“The Domain Name System is like the ‘phone book’ of the Internet, translating domain names to the right IP addresses of a website. DNSSEC protects the integrity of the information stored in the DNS and protect the owner of a domain name against spoofing of IP addresses. With the deployment of DNSSEC in the .SG zone, registrants who wish to provide their website visitors an additional layer of assurance can enable it on their respective .SG domain names. We encourage registrants to opt-in for DNSSEC to further secure their websites.” said Mr. Queh Ser Pheng, General Manager of SGNIC.

For more information on DNSSEC, please refer to the following link:
https://www.sgnic.sg/dnssec-faq.html

Neustar Finds DNSSEC Reflection Severe DDoS Risk

Neustar logoNeustar recently published research that detailed how Domain Name System Security Extensions (DNSSEC) can be subverted as an amplifier in Distributed-Denial-of-Service (DDoS) attacks.

In the research, “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us”, Neustar found that on average, DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly 30 times, which can easily cause a network service outage during a DDoS attack, resulting in lost revenue and data breaches.

“DNSSEC emerged as a tool to combat DNS hijacking, but unfortunately, hackers have realized that the complexity of these signatures makes them ideal for overwhelming networks in a DDoS attack,” said Joe Loveless, Director Product Marketing, Security Services, Neustar. “If DNSSEC is not properly secured, it can be exploited, weaponized and ultimately used to create massive DDoS attacks.”

DNSSEC was designed to provide integrity and authentication to DNS, which it accomplishes with complex digital signatures and key exchanges. As a result, when a DNS record is transferred to DNSSEC, an extraordinary amount of additional information is created. Additionally, when issuing the DNS command, “ANY,” the amplified response from DNSSEC is exponentially larger than a normal DNS reply.

Key findings and recommendations from the research included:

  • DNSSEC Vulnerabilities Are Prolific – Neustar examined one industry with 1,349 domains and determined 1,084 of them (80 percent) could be maliciously repurposed as a DDoS attack amplifier (they were signed with DNSSEC and responded to the “ANY” command).
  • The Average DNSSEC Amplification Factor is 28.9 – Neustar tested DNSSEC vulnerabilities with an 80-byte query, which returned an average response of 2,313-bytes. The largest amplification response was 17,377-bytes, 217 times greater than the 80-byte query.
  • The Anatomy of a DNSSEC Reflection Attack – Neustar illustrates the command and control servers required to run the botnets and scripts that target DNS nameservers to execute DNSSEC amplification attacks.
  • Best Practices for Mitigation –For organizations that rely on DNSSEC, Neustar recommends ensuring that your DNS provider does not respond to “ANY” queries or has a mechanism in place to identify and prevent misuse.

“Neustar is focused on using connected sciences to connect people, places and things, which is why network security is so imperative,” said Loveless. “As more organizations adopt DNSSEC, it is critically important to understand how to secure it. The time to fix it is now.”

For more information about “DNSSEC: How Savvy DDoS Attackers Are Using Our Defenses Against Us” see:
https://hello.neustar.biz/dnssec_report_it_security_lp.html

DNSSEC: New Hardware, New Key For .DE

DENIC logo[news release] After five years of productive operation with DNSSEC and the preceding testbed, time had come to replace the cryptographic hardware (Hardware Security Module, HSM) used for signing the .de zone. Since the private DNSSEC keys cannot – by definition – be read out from the HSM, the new HSM brings along new keys. This time a new Key Signing Key (KSK). While the Zone Signing Keys (ZSK) are already being replaced every five weeks, this is the first time for us to perform a complete KSK rollover. In the future, KSK rollovers will be implemented as required.

Need for Action: None
We have performed this action applying the “Double-DS” scheme as defined in RFC 6781, which is fully transparent for the validating resolver. With this scheme, two DS records remain valid for DE in the root zone for a transition period. “Double DS” is particularly suited when replacing the KSK and the HSM at the same time because it does not need double KSK signatures.

Dreams of the Future: Elliptical Curves
We have maintained the cryptographic parameters, in particular the algorithm (RSA) and the key length (2048 bit). Even though new solutions like elliptical curves (EC) offer advantages due to significantly reduced signature length, we think it is too early to switch to this solution at the TLD level. DENIC is involved in the related discussion in the standardisation and the operative communities.

Since September 2015, DENIC supports the registration of ECDSA and GOST keys for second level domains. About 250 of the currently roughly 50,000 signed .de domains make use of this EC procedure.

Good to know:
Also for the root zone, a KSK rollover is coming up. At present we are planning an implementation that will be finished in early 2018. An update of the root trust anchor is mandatory in this context for each validating resolver. The operators of these resolvers should obtain information from ICANN in due time and carry out the necessary update, if required.

This DENIC news release was sourced from:
https://www.denic.de/en/whats-new/news/article/dnssec-new-hardware-new-key/

ICANN: IANA Functions, DNSSEC Audits: ICANN Systems Have Appropriate Controls

IANA logoICANN has completed annual, third-party audits of the IANA Registry Management Systems and DNSSEC services it provides.

For the sixth consecutive year, ICANN has achieved Service Organization Control (SOC) 3 certification for its management of the Domain Name System Security Extensions (DNSSEC) Root Key Signing Key. This certification demonstrates that the processes used to modify the root key signing key, which acts as the trust anchor of the DNS, contain appropriate security measures, and that these processes have been executed as planned. The certificate is publicly available at: http://iana.org/audits.

For the third consecutive year, a SOC 2 audit of the IANA registry maintenance systems confirms that ICANN has the appropriate controls in place to ensure the security, availability and processing integrity of these systems. ICANN began undergoing SOC 2 audits in 2013.

Accounting firm PricewaterhouseCoopers conducted the audits using the Service Organization Control framework managed by the American Institute of Certified Public Accountants. The framework measures an organization’s systems against a set of “trust services principles and criteria.” Learn more: http://iana.org/audits.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation and a community with participants from all over the world. ICANN and its community help keep the Internet secure, stable and interoperable. It also promotes competition and develops policy for the top-level of the Internet’s naming system and facilitates the use of other unique Internet identifiers. For more information please visit: www.icann.org.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2-2016-04-22-en

AusRegistry: Latest Behind The Dot Examines .AU Security And Global Cyber Threats

With internet security becoming an ever growing threat and ever more important issue, the latest issue of the quarterly Behind the Dot: State of the .au Domain [pdf] from AusRegistry examines these issues with a focus on .au (Australia).The publication includes a few articles by yours truly on Protecting Australia’s Internet with DNSSEC and interviews with Dr Jason Smith, Technical Director at CERT Australia on Responding to a cyber incident and an interview with Robert Schischka, Technical Manager at nic.at about nic.at’s experiences implementing DNSSEC.There are also articles on an update on .au registration numbers, malware, global domain hijacking incidents being a menace to major brands, protecting your domain from cyber threats, predictions for the .au namespace for 2016 and government and policy.Writing on the AusRegistry website, Adrian Kinderis, CEO of AusRegistry says:
A significant tool for protecting our country’s online ecosystem has been the implementation of DNS Security Extensions, otherwise known as DNSSEC. In this edition, we’ve examined DNSSEC in detail to outline how it works and who should consider implementing it.Online security is not however, an issue solely for Registries. Major brands and individuals alike can and should take essential steps to ensure their data, assets and reputations are protected from online attacks. This edition of Behind the Dot contains a close look at some of the major global brands that have been threatened by hijackers; as well as some of the risks to individual domain name registrants and some tactics for addressing them.We’ve also called upon some of Australia’s leading security experts for their tips and insights on staying safe online. CERT Australia Technical Director, Dr Jason Smith gives us his views on cyber security issues affecting critical infrastructure, while Bruce Matthews, Cyber Security Manager at the Australian Communications and Media Authority (ACMA) provides an overview of the Australian Internet Security Initiative. Finally, Robert Schischka of nic.at, the Registry for the Austrian country code Top-Level Domain, offers an international perspective on DNSSEC.In addition, we’re delighted to have the contribution of a number of our .au Registrars in this edition, to give their predictions for the year ahead in .au and the domain name industry abroad. We look forward to continuing this inclusion of Registrars in future editions and encourage your input.

ICANN: Design Team Review of Plan for DNS Root Zone KSK Change

ICANN logoBrief Overview

Purpose: This public comment proceeding seeks to review the Design Team’s findings to date related to issues and plans for changing the cryptographic key used to originate the DNSSEC chain of trust.

Current Status: The Design Team has generated a preliminary report and will accept wider review.

Next Steps: After the public comment proceeding, the Design Team will finalize its report and plan for changing the cryptographic key.

Section I: Description, Explanation, and Purpose

A design team consisting of seven independent DNS experts has produced a report examining previously proposed schemes for changing the DNSSEC root zone KSK, along with considerations related to Internet realities, in preparation for finalizing plans to change the current Root Zone KSK.

Section II: Background

In 2010, the Root Zone Management Partners (ICANN, Verisign, and NTIA) introduced the DNS Security Extensions to the operational root zone. After five years of operation, there is a requirement to change the top most cryptographic key in the hierarchy, the key called the Root Zone Key Signing Key. The challenge is to ensure that all copies of the publicly distributed key are updated to prevent disruption to DNSSEC protection of the DNS.

Section III: Relevant Resources

This ICANN announcement was sourced from:
https://www.icann.org/public-comments/root-ksk-2015-08-06-en