Tag Archives: Domain Name System Security Extensions

FCCN To Hold .PT DNSSEC Workshops

DNS PT - Portugal - logoThe Foundation for National Scientific Computing (FCCN), the .PT manager, is organising a series of DNSSEC workshops between 14 September and 16 November.

The workshops will be aimed at sectors such as banking, public administration and judicial bodies who stand to benefit from the introduction of DNSSEC and will aim to promote and inform of the importance of DNSSEC while ensuring the integrity and security of data on the internet.

For more information in Portuguese, see the DNS.PT website here.

Europe Registry logoTo register your .PT domain name, check out Europe Registry here.

ICANN Security Chief Urges Widespread Adoption of DNSSEC: Jeff Moss Addresses Black Hat Technical Security Conference

Jeff Moss, ICANN’s Vice President and Chief Security Officer, told the Black Hat Technical Security conference in Las Vegas that now is the time for corporations and organizations to embrace DNSSEC (Domain Name System Security Extensions).”If you only call us after the house is on fire, you have very few options,” Moss told the conference in emphasizing the need for business to prioritize online security, including adoption of DNSSEC.”If you don’t have a corporate policy or strategy to sign your zone, you should,” said Moss, who is the founder of the Black Hat conference. “You’re not only going to be helping your own organization, you’re going to be helping the rest of the Internet.”DNSSEC helps to assure that Internet users end up at the Internet site to which they intended to navigate and minimizes the ability of cyber-criminals to misdirect them to bogus sites.Moss called the adoption of DNSSEC by the vast majority of the Internet’s top-level domains (TLDs) a “foundational upgrade” for the Internet.”Once we get enough critical mass with signed zones then the whole Internet starts to the get the benefit of this technology,” said Moss.Moss was named ICANN’s Chief Security Officer in April.Throughout his career, the self-proclaimed hacker of more than of 20 years has used his skills and understanding of the hacking community and its methods to help organizations secure their global networks. He currently serves as a member of the U.S. Department of Homeland Security Advisory Council and is a member of the Council on Foreign Relations.###To download a high resolution pictures of Jeff Moss go here:
www.flickr.com/photos/icann/5659434198/sizes/l/in/photostream/To learn more about DNSSEC go here: www.icann.org/en/announcements/dnssec-qaa-09oct08-en.htmThis ICANN news release was sourced from:

Nominet Launches .UK DNSSEC Pilot

Nominet logoNominet have introduced a free pilot DNSSEC Signing Service to simplify the signing of zones and help encourage the introduction of the improved security measure in the .UK ccTLD.

This new product from Nominet allows registrars to hand-over the process of DNSSEC signing their zones to Nominet. The service reduces the technical barriers to DNSSEC deployment by registrars. It allows registrars to quickly and easily start offering DNSSEC as a security product to their customers with very few overheads and without significant and costly infrastructure development.

Nominet’s signing service is an alternative approach to DNSSEC management that, with a much lower infrastructure investment, allows registrars to sign zones. Nominet will generate and manage DNSSEC keys and DS records and publish them to nameservers and parent zones respectively, allowing registrars to sign zones in a quick and simple way.

The pilot service is free however Nominet say they intend to introduce charges for using the service in January 2013. The fee will be ten per cent of the registration cost which, based on the current registration prices will be £0.50 (plus VAT) per domain name for two years.

Nominet have provided information on how the DNSSEC Signing Service works here.

Europe Registry logoTo register your .UK domain name, check out Europe Registry here.

ICANN, Swiss Registry, Others Improve Security For Internet Users

A collaboration between ICANN, the Swiss domain name registry SWITCH, Packet Clearing House, Infocomm Development Authority of Singapore (IDA) and the National University of Singapore (NUS) joined together last week at the ICANN meeting in Singapore to inaugurate the first of three hardened facilities to bring about extra security for global internet users.The new facility will provide secure digital signatures for the country-code top level domains of dozens of countries. The first three new facilities are located in Singapore; Zurich (still under construction) and San Jose, California. The facilities provide cryptographic security using the recently deployed Domain Name System Security (DNSSEC) protocol.”One of ICANN’s core missions is to enhance the security and stability of the Internet’s Domain Name System. This new DNSSEC facility in Singapore helps us do just that,” said Rod Beckstrom, President and Chief Executive Officer of ICANN.”The bottom line is that this centre and the two others like it will give billions of internet users the confidence to know that they have ended up at the web site they intended to reach, reducing the risk that they have been misdirected to a different site by cyber criminals.”The implementation of a more secure internet will bring about more than just giving internet users more trust. It will see, for example, web browsers and email gain an additional level of security. On trust, it will mean much more confidence for internet users when they interact online.”Businesspeople, governments, and regular Internet users have been demanding secure domain names for more than ten years, and I’m really happy to have finally built a system that delivers that, and delivers it globally, to any country that wants it, at no cost,” said Packet Clearing House’s research director, Bill Woodcock. “DNSSEC was an obvious next step for our global anycast DNS service network, since we already provide service to more than eighty countries.”The Swiss registry, like the other three locations, was selected because Switzerland is viewed as a stable and secure country. Additionally, Switzerland Singapore benefited from their history of neutrality.Simon Leinen, network engineer at SWITCH is delighted that PCH has selected Zurich as a server location. “The decision in favour of Zurich is based on the excellent, longstanding cooperation between PCH and SWITCH. PCH has been running a number of the name servers responsible for .ch and .li throughout the world.”The locations are spread out geographically in case of a disaster. A diverse selection of countries was chosen in case of one country not necessarily trusting one of those chosen.Mr Leong Keng Thai, Deputy Chief-Executive and Director-General of Telecoms & Post, IDA, said, “We are honoured that PCH, with the support of ICANN, has decided to host the Asia node of the DNSSEC platform here in Singapore. The facility will assist other countries to secure their DNS, and its location here further affirms Singapore as a secure and trusted hub.”Since its standardisation by the Internet Engineering Task Force (IETF), the DNSSEC protocol has been adopted by many top-level domains (TLDs) to form a secure chain of trust within the domain name system.So far this year, several major TLDs, including the German ccTLD .DE, as well as .COM and .NET have already secured their own domains by generating cryptographic keys, which are used in the DNSSEC system to electronically “sign” the domains, authenticating them to the internet users who access the web sites, email, and other internet resources the signed domains contain.Although people browsing the internet often take it for granted that the sites they visit are created and operated by their purported owners, it is possible for criminals with knowledge of the internet’s addressing system to create counterfeit websites that look like the real thing but capture users’ private information. DNSSEC guards against this cyber threat.PCH’s DNSSEC facilities will allow many additional countries to immediately gain the benefits of DNSSEC protection for their country code TLDs without needing to build and maintain their own million-dollar security facilities. During an elaborate “key-signing” ceremony on the opening day of the ICANN meeting (Monday 20 June), cryptographic master keys were created for Tanzania, Uganda, Afghanistan, and ten other countries that have already chosen to use the system.For more information see a New York Times article that interviews, in part, internet security researcher Dan Kaminsky at www.nytimes.com/2011/06/25/science/25trust.html.An ICANN news release of the announcement is available at www.icann.org/en/news/releases/release-22jun11-en.pdf.

ICANN Advisory: News Conference to Inaugurate Cyber Security Facility in Singapore

ICANN logoSGNIC logoProminent Internet organizations and the Singapore Government will answer journalists’ questions about the inauguration of a Singapore facility that will become the first of three hardened facilities that will bring an extra measure of security to Internet users around the globe.

Packet Clearing House (PCH) and ICANN will join the Singapore government at the news conference.

The three new facilities, located in Singapore; Zurich, Switzerland (still under construction) and San Jose, California, will provide cryptographic security using the recently deployed Domain Name System Security (DNSSEC) protocol. Internet users in each country that adopts the new service will be assured of the authenticity of the websites they visit and the email addresses they use.

Here are the details:

WHAT: News Conference

WHO: Representatives of ICANN, Packet Clearing House (PCH), Infocomm Development Authority of Singapore (IDA) and the National University of Singapore (NUS).

WHEN: Wednesday, 22 June 2011, 1430-1530 Singapore (0530-0630 UTC).

WHERE: Swissôtel The Stamford, Moor Room, 2 Stamford Road, Singapore.

OFF-SITE ACCESS: Journalists from around the world can participate in the news conference via remote access.

A live video webcast may be accessed at icann.adobeconnect.com/sin41-press.

NEWS CONFERENCE RECORDING: As soon after the news conference as possible, a recording of the event will be posted to www.icann.org/en/press/

This ICANN announcement was sourced from:

DENIC Launching DNSSEC For .DE

DENIC logo[news release] On 31 May 2011, the German registry DENIC took the last step required to launch DNSSEC for .de: The .de zone now contains the final public key, which is suited for validation.
Moreover, DENIC has submitted to the Internet Assigned Numbers Authority (IANA) the so-called DS record for publication in the root zone. The DS record refers to the public key for .de and is a mandatory prerequisite for validating DNSSEC-signed domains. It will probably become visible in the root zone by mid-June and from then on allow validation of signed .de domains all across the Internet.

Signing of a domain can be carried out either through the web or domain service provider or by the domain holders themselves. If signing is performed by one of these service providers – which may be an optional service – this provider also is responsible for generating the keys, signing the zone data, carrying out re-signing before signatures expire, and for changing the keys at the required intervals. Domain holders who want to protect their domains with DNSSEC can do this from now on. They are kindly requested to contact their registrar, who will also register the keys with DENIC.

To be able to benefit from DNSSEC as an Internet user you need a validating resolver that is capable to interpret the additional information supplied by DNSSEC. If you do not operate a validating resolver yourself, your Internet service provider (ISP) will normally operate such a resolver for you. When you visit a website, the operating system installed on the computer automatically directs the DNS query to the DNS server defined by the respective ISP. That server will validate data authenticity.

Operators of validating resolvers do not need to configure a trust anchor for .de in addition to the one used for the root zone. It is not recommended either, since such a configuration might lead to later key rollovers not being noticed. This, in turn, might entail validation errors and failures.

You will find detailed information about DNSSEC on our website at www.denic.de/en/domains/dnssec.html.


Domain Name System Security Extensions (DNSSEC) are extensions of the DNS (Domain Name System) which have the purpose to close security holes in the Internet, such as cache poisoning and DNS spoofing.

DNSSEC provides security by data origin authentication, i.e. by securing the path between the DNS servers and the validating DNS clients, with intermediate resolvers and their caches being included in the security perimeter. The signature which was applied reveals if the data were actually generated by a source entitled to do so. At the same time, securing data integrity protects against DNS data that was manipulated on the way. However, DNSSEC does not warrant the correctness of the initially stored data. Neither will it protect against domain hijacking or manipulations during the registration process.

DNSSEC verifies DNS replies by means of cryptographically secured signatures. These signatures are computed from the DNS data to be protected and are transferred to the client together with the data. Response verification is executed in the client or in the upstream resolver by means of a check against the public keys valid for the respective zone. These keys, in turn, are easily stored in and retrieved from the DNS. This procedure itself is secured by DNSSEC and is thus not subject to the aforementioned security threats; only the key required to start the chain of trust (i.e. the key of the root zone) is permanently stored in the client or its configuration data.

DNSSEC is one component to make operation of the DNS – a crucial aspect of the Internet – more secure by protecting the DNS against data manipulation and spoofing.


As the central registry, DENIC administers the now more than 14 million domains under the Top Level Domain .de and thus provides a crucial resource for users of the Internet. It sees its role as that of a competent, impartial provider of services for all domain holders and Internet users. With more than 120 employees, DENIC creates the foundation through its work for German Internet pages and e-mail addresses to be accessible throughout the world. The about 270 members of the Cooperative are IT or telecommunications businesses based in Germany and elsewhere. Working in cooperation with them and other partners, DENIC is committed to guarantee the secure operation of the Internet and its further worldwide development as a not-for-profit organization.

It operates the automatic electronic registration system for its members, runs the domain database for the Top Level Domain .de and the German ENUM domain (.9.4.e164.arpa), manages the name server services for the .de zone at currently 16 locations distributed throughout the world, and renders a considerable contribution to the further organizational and technical development of the Internet in cooperation with international bodies (e.g. ICANN, CENTR, IETF).

This DENIC news release was sourced from:

Europe Registry logoTo register your .DE domain name, check out Europe Registry here.

DNSSEC Opened To Registrars In Final Step to Deployment

AFNIC logoOn 19 April, AFNIC opened DNSSEC to all its registrars. Now registrars will be able to use their automated EPP or Extranet interface to communicate signature elements concerning domain names to AFNIC.

This will ensure the security of domain names by activating an authentication chain. This is the final step of the deployment of DNSSEC which AFNIC started last September by signing the .FR and .RE TLDs.

After 19 April, registrars will be able to ask AFNIC for domain names to be secured with DNSSEC. This crucial step secures the authentication chain. In particular, DNSSEC prevents attacks by cache poisoning, i.e. attacks which aim to capture and divert queries without users realising it, with the risk that users may disclose personal data in the belief that they are on the legitimate site of the attack victim.

With its expertise in DNSSEC, AFNIC will now seek to propagate its know-how.

For more information on .FR, see the AFNIC website at www.afnic.fr.

Europe Registry logoTo register your .FR domain name, check out Europe Registry here.

ICANN: Deployment of DNSSEC in the Root Zone: Impact Analysis

ICANN logoIn 2010 ICANN commissioned a study from DNS-OARC to examine the impact of DNSSEC deployment in the root zone, and in particular the effects on clients from the large DNS responses resulting from the use of a Deliberately Unvalidatable Root Zone (DURZ).

The DNS-OARC study drew upon the results of a coordinated data collection exercise by root server operators, with each data collection window timed to coincide with a transition by one or more root servers [TXT, 28 KB] from serving an unsigned root zone to serving the DURZ.

ICANN is publishing this report in order to share its findings with the wider DNS community.

The conclusion of the DNS-OARC study is included below.

The average message size of UDP-based DNS response size grew by about 40%, from 405 to 569 octets. The largest observed responses were just over 900 octets.

There is evidence that the introduction of the DURZ resulted in an increase in the number of query retries for some types of query, but it is unclear whether this corresponds to clients with path MTU issues or is simply path MTU discovery at work. The apparent absence of any problem reports strongly suggests the latter.

The number of TCP-based DNS queries to the root servers increased by approximately 1333%, from 30 per second prior to the introduction of the DURZ to around 400 per second afterwords. However, TCP-based queries, which were a miniscule 0.02% of total query traffic before the DURZ, were still only 0.17% of it afterwords. While 400 TCP connections per second may seem high, it is small relative to available capacity, particularly as the root servers comprise approximately 300 individual nodes. The number of clients using TCP for DNS queries rose by over 1800% from around 1600 distinct sources per hour to nearly 30,000. This is still a tiny fraction of all DNS clients.

Deployment of DNSSEC in the Root Zone: Impact Analysis [PDF, 799 KB]

This ICANN announcement was sourced from:

Verisign Achieves Critical DNSSEC Milestone by Deploying Security Extensions in .COM TLD

[news release] VeriSign, Inc., the trusted provider of Internet infrastructure services for the networked world, announced today that .com — the Internet’s largest domain with more than 90 million domain name registrations worldwide — now supports DNS Security Extensions (DNSSEC).

Deploying DNSSEC in the .com domain signals that Verisign has achieved a critical milestone in improving the integrity of Internet communications and the security of Domain Name System (DNS) transactions. This achievement comes after years of close and careful collaboration between Verisign, the Internet Corporation for Assigned Names and Numbers (ICANN) and a variety of Internet stakeholders, from registrars and Internet Service Providers (ISPs) to hardware and software vendors.

“By reaching this critical milestone in DNSSEC deployment, Verisign and the Internet community have made enormous strides in protecting the integrity of DNS data,” said Pat Kane, senior vice president and general manager of Naming Services at Verisign. “But the threats against the Internet ecosystem — whether targeting the DNS or elsewhere — are unrelenting. That’s why Verisign continually invests to ensure the security and availability of the Internet infrastructure.”

DNSSEC helps close a known vulnerability within the DNS that has increasingly become a target for hackers and identity thieves. The security extensions apply digital signatures to DNS data to authenticate the data’s origin and verify its integrity as it moves throughout the Internet. The extensions are designed to protect the DNS from man-in-the-middle attacks that corrupt DNS data stored on recursive name servers. With DNSSEC, poisoning a recursive name server’s cache is much more difficult because DNS administrators sign their data. The resulting digital signatures on that DNS data are validated through a “chain of trust.”

Gartner Research Director Lawrence Orans added, “The importance of DNSSEC in solving issues of trust on the Internet has reached a tipping point with the signing of .com — one of the most significant milestones in the history of DNSSEC to date. However, there is still more work to be done and the effective deployment of DNSSEC requires collaboration from all parties in the Internet ecosystem.”

The deployment of DNSSEC in .com follows Verisign’s successful 2010 DNSSEC roll-out in .net in December, .edu in August and the collaborative effort between Verisign, ICANN and the U.S. Department of Commerce to sign the DNS root zone in July. To support and encourage DNSSEC implementation, Verisign also operates a DNSSEC Interoperability Lab. Staffed by Verisign personnel, the lab helps solution providers, ISPs and others ensure the Internet communications ecosystem is ready for DNSSEC.

Verisign provides the registrar community with a variety of tools to reduce the cost and complexity associated with implementing DNSSEC. To assist in driving adoption, the DNSSEC Signing Service is being offered to registrars to help them incorporate signing and provisioning into their infrastructure, while reducing the administrative burden of providing DNSSEC support for their customers. In addition, the Verisign DNSSEC Analyzer is an iPhone application that can assist in diagnosing problems with DNSSEC-signed names and zones. The Verisign Network Intelligence and Availability (NIA) group is also helping domain owners ease the complex management necessary to operate a signed zone by integrating DNSSEC support into its unrivalled Managed DNS service.

Verisign’s DNSSEC efforts dovetail with the company’s “Project Apollo” initiative, which will dramatically strengthen and scale the .com infrastructure by the year 2020. To achieve this, Verisign is scaling, and in some cases revamping, the infrastructure that keeps .com running. Verisign’s 2020 technology roadmap calls for it to increase capacity 1,000 times today’s level of 4 trillion queries to manage 4 quadrillion queries per day. The increased capacity will support normal and peak attack volumes based on what the company has experienced as well as Internet attack trends.

About Verisign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, Verisign helps companies and consumers all over the world to connect online with confidence. Additional news and information about the company is available at www.verisigninc.com

Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 as amended and Section 21E of the Securities Exchange Act of 1934 as amended. These statements involve risks and uncertainties that could cause Verisign’s actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as increasing competition, pricing pressure from competing services offered at prices below our prices and changes in marketing practices including those of third-party registrars; the sluggish economic recovery; challenges to ongoing privatization of Internet administration; the outcome of legal or other challenges resulting from our activities or the activities of registrars or registrants; new or existing governmental laws and regulations; changes in customer behavior, Internet platforms and web-browsing patterns; the inability of Verisign to successfully develop and market new services; the uncertainty of whether our new services will achieve market acceptance or result in any revenues; system interruptions; security breaches; attacks on the Internet by hackers, viruses, or intentional acts of vandalism; the uncertainty of the expense and duration of transition services and requests for indemnification relating to completed divestitures; and the uncertainty of whether Project Apollo will achieve its stated objectives. More information about potential factors that could affect the company’s business and financial results is included in Verisign’s filings with the Securities and Exchange Commission, including in the Company’s Annual Report on Form 10-K for the year ended December 31, 2010, Quarterly Reports on Form 10-Q and Current Reports on Form 8-K. Verisign undertakes no obligation to update any of the forward-looking statements after the date of this announcement.

This VeriSign news release was sourcd from here.

America Registry logoTo register your .COM domain name, check out America Registry here.

Implementing DNSSEC

Cisco’s The Internet Protocol Journal has published an article titled Implementing DNSSEC explaining the challenges that are involved with DNSSEC and what experience the early adopters have gathered and documented.

The article by Stephan Lagerholm and Torbjörn Eklöv, both DNS architects with significant DNSSEC experience, looks at “cache poisoning” techniques that were discovered a few years ago. The article says “you have most likely heard that Domain Name System Security Extensions (DNSSEC) is the long-term cure. But you might not know exactly what challenges are involved with DNSSEC and what experience the early adopters have gathered and documented. Perhaps you waited with your own rollout until you could gather more documentation about operational experiences when rolling out DNSSEC.”

This article summarises Lagerholm and Eklöv’s experiences, including lessons learned from implementing the technology in production environments, and discusses associated operational concerns.

To read this article, Implementing DNSSEC, in full by Stephan Lagerholm and Torbjörn Eklöv in Volume 13, Number 2, of Cisco’s The Internet Protocol Journal, see: