Tag Archives: Domain Name System Security Extensions

ICANN: Design Team Review of Plan for DNS Root Zone KSK Change

ICANN logoBrief Overview

Purpose: This public comment proceeding seeks to review the Design Team’s findings to date related to issues and plans for changing the cryptographic key used to originate the DNSSEC chain of trust.

Current Status: The Design Team has generated a preliminary report and will accept wider review.

Next Steps: After the public comment proceeding, the Design Team will finalize its report and plan for changing the cryptographic key.

Section I: Description, Explanation, and Purpose

A design team consisting of seven independent DNS experts has produced a report examining previously proposed schemes for changing the DNSSEC root zone KSK, along with considerations related to Internet realities, in preparation for finalizing plans to change the current Root Zone KSK.

Section II: Background

In 2010, the Root Zone Management Partners (ICANN, Verisign, and NTIA) introduced the DNS Security Extensions to the operational root zone. After five years of operation, there is a requirement to change the top most cryptographic key in the hierarchy, the key called the Root Zone Key Signing Key. The challenge is to ensure that all copies of the publicly distributed key are updated to prevent disruption to DNSSEC protection of the DNS.

Section III: Relevant Resources

This ICANN announcement was sourced from:

ICANN Successfully Completes Two Independently Conducted Service Organization Control Audits

ICANN logoICANN today announced that it has achieved the Service Organization Control (SOC) 3 certification, formerly known as Systrust, of its Domain Name System Security Extensions (DNSSEC) Root Key Signing Key systems for the fifth consecutive year.
The organization also successfully completed its second SOC 2 audit, which evaluates key systems used to support IANA transaction processing functions. International accounting firm PricewaterhouseCoopers (PwC) conducted both audits.

“Annual independent audits represent one of a number of ways ICANN is striving to measure business excellence and enhance accountability,” said Elise Gerich, ICANN‘s vice president of IANA & technical services. “We are committed to delivering a high standard of work and a program of continuous improvement in all areas of operation.”

Read the blog post about ICANN‘s commitment to continuous improvement and enhancing accountability mechanisms in relation to the IANA functions.

About SOC Audits

SOC audits evaluate an organization’s controls in relation to “trust services principles and criteria” developed and managed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Learn more: iana.org/audits.


ICANN‘s mission is to ensure a stable, secure and unified global Internet. To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. ICANN was formed in 1998. It is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers. ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet. For more information please visit: www.icann.org

This ICANN announcement was sourced from:

Norwegian DNS Becomes More Secure

[news release] Norid UNINETT logoFrom 9 December Norwegian domain names can be secured with DNSSEC. This means that an end user can know for sure that he arrives at the correct web page when he looks up a domain name.DNSSEC (DNS Security Extensions) is a security extension to the domain name system (DNS). DNSSEC protected domains are cryptographically signed, and this makes it possible to check that the reply to a domain lookup comes from the correct source of origin, and that the lookup remains unchanged. The purpose is among other things to prevent a scammer to falsify an answer in order to send an end user to a fake web page.In addition to making it more secure to use domain names, extensive use of DNSSEC in the domain name system will prepare the grounds for new services that have to trust safety critical data in DNS.

&nash; DNSSEC increases the security, but at the same time it demands more competence from the people running the name service for a domain. We still think that the technology now is mature enough to be used as an upgrade of the infrastructure, says Hilde Thunem, Managing Director in Norid.

Norid is now offering DNSSEC, and encourages registrars to use the service, but the mechanism will not be activated autmatically for all Norwegian domains. So far 16 registrars offer DNSSEC.

This Norid news release was sourced from:

European ccTLD Registries Address Security Issues With ISO27001: CENTR News

CENTR small logoSecurity is an ongoing issue for the domain name system and TLD registries are at the forefront of dealing with it.

So in 2011 CENTR, on its members’ request, created a Security Working Group for ccTLDs to share security best practices and discuss ways to mitigate security risks, the latest CENTR News highlights.

At a recent workshop in Brussels and for the second time a workshop was dedicated to one topic only, the ISO 27001 security standard.

“Over the past few years I got a lot of questions from colleagues from other ccTLDs about ISO 27001,” Bert ten Brinke, Security Officer with SIDN, Chair of the CENTR Security working group and expert in the field of ISO 27001 told CENTR News. “After a short inventory, the idea was born to organise a workshop completely focused on ISO 27001.”

“ISO forces you to build a process to deal with security risks within and around your organisation and its core tasks,” reported CENTR News. “When everyone involved starts to operate according to this process an organisation’s security will become less dependent on individual employees. Bert ten Brinke feels this is the main reason why ISO 27001 increases the chance of a better secured registry.”

“There are alternative standards that can be useful for ccTLDs and it’s of course possible to build your own processes follow your own standards. But by doing so, you’ll risk having to explain your standard over and over again. Official standards don’t have that issue. They are already accepted and used by a whole community.

“For companies there are a lot of security standards which can be used. Examples are: the American COBIT (Control Objectives for Information and Related Technology), which is an IT governance framework that addresses every aspect of IT and the originally British ISO 27001(International Organization for Standardization). COBIT lays more focus on Risk Management and following Bert ten Brinke it is more difficult to implement than the ISO27001 standard.”

“It is important to build a standard according to your organisation and not the other way around”. This is Bert’s main advice for ccTLDs that are considering implementing systematic security processes by means of an official standard. Furthermore, in order to start implementing security processes in a successful way the full support of the CEO or Managing Director is crucial.

“An ISO certificate is an engagement for the future. When you are certified ISO27001 for the first time this is only the beginning. Each year you have to proof that you are ‘worth’ the certificate and after three years, you have to recertify. For most companies it’s a never ending circle of security improvement.

On registry to recently acquire ISO27001 certification was nic.at, the registry for .at domain names. The announcement was made at the recent Domain Pulse conference held in Salzburg, Austria, and Richard Wein, General Manager, said the certification was proof of the registry’s dedication to security of .at domain names.

Elsewhere in the February 2014 edition of CENTR News, there are articles on CENTR preparations for the next Internet Governance Forum meeting to be held in Istanbul in September. Plus an update on DNSSEC in Europe, which shows there are two-thirds (67%) of registries that have implemented the security standard and a quarter (26%) planning its implementation, which are the findings of a survey of 26 ccTLD registries.

Plus there is a Q&A with Nominet Brand Manager Becky Bradburn and a European ccTLD update.

To download the latest CENTR News, go to https://centr.org/news/european-cctld-news-february-2014.

.EE Registry Price Reduced 20%

.ee logoThe Estonian Internet Foundation will lower the price of a .ee domain by 20% from 1 January 2014, i.e. down to €12.

.ee domains can be registered for one, two or three years. The domain fee is €12, €23 or €33 in 2014, depending on the length of the registration period.

These are the domain registration prices that the Estonian Internet Foundation will charge from registrars. The price for the registrant is determined by the registrars. VAT will be added to the fee.

From the beginning of January, protection with the DNSSEC security extension will be available for .ee domains. DNSSEC protects Internet users and domain owners, offering them a guarantee that the user has not been unknowingly redirected from the requested homepage to another page. The Estonian Internet Foundation will not apply additional charges to this service. More information about DNSSEC can be found on the Foundation’s homepage at www.internet.ee.

This Estonian Internet Foundation news release was sourced from: www.internet.ee/en/

Six More ccTLDs Signed With DNSSEC

They may only be some of the smaller ccTLDs around the world, but six more have been signed with DNSSEC and now have DS records in the root zone, according to a post on the ISOC website.

This means that people and businesses with domains registered in these ccTLDs can now receive the higher level of security possible with DNSSEC. The ccTLDs are:

The post notes for registrants that have a domain registered in those ccTLDs, their registrar should now be able to pass the required DS record up to the ccTLD registry.

As the ISOC post notes, congratulations to Garth Miller and the teams associated with the various TLDs for making these signed TLDs happen. As per ICANN’s TLD Report, 111 out of 318 TLDs are now signed which is excellent progress.

ISOC Collaborates with Shinkuro and Parsons to Promote Global Deployment of DNSSEC

Internet Society - ISOC - logo[news release] The Internet Society today announced it has signed a Memorandum of Understanding with Shinkuro and Parsons to collaborate on multiple initiatives to promote the global deployment of Domain Name System Security Extensions (DNSSEC).

Few technologies are more critical to the operation of the Internet than the DNS, and DNSSEC provides a way to ensure online connections are with the correct website or service.  The Internet Society Deploy360 Programme, www.internetsociety.org/deploy360/, provides deployment information and resources for key Internet technologies such as DNSSEC, IPv6, and Routing Resiliency and Security.  Shinkuro and Parsons—which acquired  SPARTA, Inc., a leading provider of advanced systems engineering, cybersecurity, and mission support services in November 2011—have been working together with other groups as the DNSSEC Deployment Initiative with funding from the U.S. Department of Homeland Security Science and Technology Directorate.

The Internet Society’s Deploy360 Programme and the DNSSEC Deployment Initiative have collaborated in the past, and this MOU is a formal endorsement of their cooperative arrangement.  By joining forces, these organizations will share expertise and maximize efforts to encourage a greater understanding of DNSSEC and its importance to the future of the Internet.  Joint activities include DNSSEC educational and awareness programmes, development and support for tools to facilitate global deployment and operation of DNSSEC, and participation in DNSSEC events worldwide.

“We are delighted to be working with the teams at Shinkuro and Parsons to increase awareness of DNSSEC and support its deployment,” said Leslie Daigle, Chief Internet Technology Officer, Internet Society.  “The Internet needs the trust layer that DNSSEC can provide and by bringing the community together in an open, multi-stakeholder way we will be able to help make this happen. We look forward to moving ahead on our joint initiatives.”

“Shinkuro is excited the Internet Society is lending its weight and prestige to foster full deployment and use of DNSSEC,” said Steve Crocker, Shinkuro’s CEO.

“Parsons, a leader in DNSSEC research and development, is pleased to join forces with the Internet Society to promote expanded use of this important technology,” stated Mary Ann Hopkins, Parsons Group President. “Internet security is a global issue and requires significant cooperation and coordination.”

About the Internet Society
The Internet Society is the trusted independent source for Internet information and thought leadership around the world. With its principled vision and substantial technological foundation, the Internet Society promotes open dialogue on Internet policy, technology, and future development among users, companies, governments, and other organizations. Working with its members and chapters around the world, the Internet Society enables the continued evolution and growth of the Internet for everyone. For more information, visit www.internetsociety.org.

About the DNSSEC Deployment Initiative
The DNSSEC Deployment Initiative is jointly led by teams from Shinkuro and Parsons in collaboration with the Advanced Network Technologies Division of NIST. It is funded by the U.S. Department of Homeland Security Science and Technology Directorate under an Interagency Agreement with the Air Force Research Laboratory. For more information, visit www.dnssec-deployment.org.

About Shinkuro
Shinkuro is a U.S.-based research and development company focused on Internet security and collaboration technology for sharing information across organizational boundaries. For more information, visit www.shinkuro.com.

About Parsons
Parsons, celebrating nearly 70 years of growth in the engineering, construction, technical, cyber, and professional services industries, is a leader in many diversified markets with a focus on transportation, environmental/infrastructure, defense/security, and resources. For more about Parsons, please visit www.parsons.com.

About Department of Homeland Security Science and Technology Directorate
The Department of Homeland Security Science and Technology Directorate’s mission is to support basic and applied homeland security research to promote revolutionary changes in technologies; advance the development, testing, evaluation, and deployment of critical homeland security technologies; and accelerate the prototyping and deployment of technologies that address homeland security vulnerabilities across the Homeland Security Enterprise.

This ISOC news release was sourced from:

Last Contractual Hurdle Cleared in New gTLDs Introduction With Board Approving Registry Agreement

The ICANN New gTLD Program Committee of the ICANN Board of Directors has approved the 2013 Registry Agreement (RA) meaning the introduction of new generic Top Level Domains have moved a step closer.”New gTLDs are now on the home stretch,” said Chris Disspain, a member of ICANN’s New gTLD Program Committee, in a statement. “This new Registry Agreement means we’ve cleared one of the last hurdles for those gTLD applicants who are approved and eagerly nearing that point where their names will go online.”Among the key points in the new Registry Agreement:

  • Includes a Trademark Clearinghouse that will serve as a one-stop shop where trademark holders can protect their rights.
  • Provides for a process for a rapid, efficient way to take down infringing domain names.
  • Provides a procedure where trademark rights holders can assert claims directly against a registry operator for domain name abuse if that operator has played an active role in the abuse.
  • Requires registry operators to have a single point of contact responsible for handling abuse complaints.

“We’re getting to the point now where new gTLD applicants can see the finish line,” said Akram Atallah, President of the ICANN’s Generic Domains Division. “Much like the 2013 Registrar Accreditation Agreement approved by the Board last week, this new Registry Agreement is the culmination of input from a wide range of stakeholders and marks a dramatic improvement over the previous baseline agreement.”The New gTLD Registry Agreement is intended to enhance the security and stability of the Domain Name System while bolstering competition in domain name industry. The security provisions include:

  • A requirement that registry operators implement Domain Name System Security Extensions (DNSSEC), reducing so-called “man-in-the-middle” attacks and spoofed DNS records.
  • A requirement of enhanced WHOIS service at the registry level with a common interface, and more rapid search capabilities, facilitating efficient resolution of malicious activities.

“This isn’t just a gradual step forward,” said Atallah. “This is a major move that translates to far greater security protections.”

ccTLD Updates for .xxx, .pw, .ru, .fr, .nl, .ee, vn, .be, .no

“What has really happened as a result of .XXX?” one year on from its launch is the focus of an article on Xbiz.

The article notes that “among other things, new sites have come to market, new companies have formed to capitalise on new opportunities in the adult space and a level of accountability and oversight added to an industry that has long shunned supervision of any sort — while the majority of trademark disputes have been swiftly resolved in favour of the legitimate rights holders.”

And it notes that ICM Registry’s Stuart Lawley claims .XXX “has comfortably exceeded the company’s sales expectations — based on the figures it communicated back in 2003 and 2004 in its original application to ICANN.” ICM also believes renewal rates will be high, even though the first anniversary is not quite here.

The .pw ccTLD is relaunching being branded as ‘the Professional Web, with the new registry opening up a 68-day sunrise programme as of 3 December. The sunrise offers some unique features aimed at reducing overhead for brand-owners.

A guest posting on DomainNameNews from Kate Moran of TM.Biz, .pw’s trademark validation agent, looked at trademark validation for .PW. Unsurprisingly the posting considers .pw a leader, saying “the .pw registry is proposing to protect not only exact matches, but also any domain containing the trademark, misspellings, abbreviations and language translations of the validated trademark. The trademark validation agent, TM.Biz is coupling these rules with automated searches of 70 trademark databases.”

On 4 December, the Coordination Center for TLD RU/РФ and the Technical Center of Internet generated DNSSEC keys for .RU, one of the two Russian national domains. A formal event signified the first phase of signing .RU with DNSSEC, with all works expected to be finalised by the end of December 2012.

The .FR registry, Afnic, has released their December 2012 Domain Name Industry. The latest report looks at the growth rate for IPV6-compatible .fr domain names. In the report Afnic focuses on the success rate of Syreli claims in relation to the age of the domain name. Everything suggests that rights-holders are reactive and quickly intervene to enforce their rights via the Syreli procedure. The full report is available from the Afnic website here.

SIDN, the .nl registry, has published their final report of the 2012 Domain Name Debate. The debate examined issues such as availability of registrant’s details from Whois and drop catching. To check out the final report, check out the SIDN website here.

The price to registrars of .ee domain names will be cut by 11.8 percent on 1 March 2013, which will see the price cut from €17 to €15. Maximum registration periods will also be extended with options of two and three years.

Registrations of .vn domain names hit225,970 in the third quarter of 2012 according to VNNIC’s white paper on Vietnam’s internet.

Alternative Dispute Resolution celebrated its tenth birthday on 12 December, the .be registry dns.be announced. To mark the occasion, Cepina (the Belgian Centre for Arbitration and Mediation) organised a symposium in conjunction with DNS.be.

Norid, the registry for .no domain names, is again receiving reports on a company who tries to force Norwegian companies to buy domain names. The service is said to be offered to protect a company name or brand.

The issue may be a proposal to register a domain name within other top level domains, such as .com or .as, or they may suggest to register the domain name in different spellings, for instance with and without a hyphen. The company who offers services like this, often tells a story about other actors interested in buying the domain name, and that they need a quick decision.