News
Call for Participation -- ICANN DNSSEC Workshop 27 June 2012
The DNSSEC Deployment Initiative, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in Prague, Czech Republic on 27 June 2012. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN Costa Rica meeting on 14 March 2012. The presentations and transcripts of the presentations are available at http://costarica43.icann.org/node/29659.
We are seeking presentations on the following topics:
1. DNSSEC activities in Europe
This is a key panel and we are seeking participation from those who have been
involved in DNSSEC deployment in Europe as well as those who have a keen
interest in the challenges and benefits of deployment. Key questions are
to consider include: what would help to promote DNSSEC deployment? What
are the challenges you have faced when you deployed DNSSEC? Can DNSSEC
make the information users receive more reliable?
2. ISPs and Validation
ISPs are beginning to take the first step to full DNSSEC implementation
that will allow web users, with software applications like browsers, to
validate that the destination they are trying to reach is authentic and not a
spoofed website. We are seeking ISPs to participate in a panel discussion
or provide presentations on their DNSSEC deployment plans, challenges, and
benefits for users.
3. The realities of running DNSSEC
Now that DNSSEC has become an operational norm for many registries and
registrars, what have we learned about how we manage DNSSEC? What's best
practice around key rollovers? How often do you review your disaster recovery
procedures? Is there operational familiarity within your customer support
teams? Has DNSSEC made DNS more 'brittle' or is it just a run-of-the-mill
operational practice?
4. DNSSEC and Enterprise Activities
DNSSEC has always been seen as a huge benefit to organizations looking to
protect their identity and security on the Web. Large enterprises are an
obvious target for DNS hackers and DNSSEC provides an ideal solution to this
challenge. This session aims to look at the benefits and challenges of
deploying DNSSEC for major enterprises. Topics for discussion:
- What is the current status of DNSSEC deployment among enterprises?
- What plans do the major enterprises have for their DNSSEC roadmaps?
- What are the challenges to deployment for these organizations? Do they foresee raising awareness of DNSSEC with their customers?
5. When unexpected
DNSSEC events occur
What have we learned from some of the operational outages that we have seen
over the past 18 months? Are there lessons that we can pass on to those just
about to implement DNSSEC? How do you manage dissemination of information about
the outage? What have you learned about communications planning? Do you have a
route to ISPs and registrars? How do you liaise with your CERT community?
6. DNSSEC in the wild
What operational statistics have we gathered about DNSSEC? Is it changing DNS
patterns? How are our nameservers handling DNSSEC traffic? Is the volume as expected?
Have we seen anything unusual? Are there experiences being documented in
the form of best practices, or something similar, for transfer of signed zones?
7. DANE and other DNSSEC applications
Using DNSSEC as a means of authentication for http transactions is an exciting
development of DNSSEC. What is the progress of the DNS-Based Authentication of
Named Entities (DANE) initiative? (See http://datatracker.ietf.org/wg/dane/.) How soon could DANE become a deployable
reality and what will be the impact of such a deployment, e.g. impact on
traditional certification authorities (CAs)?
8. The Great DNSSEC Panel Quiz
Ever fancied pitting
your wits against your colleagues? Demonstrate your knowledge and
expertise in DNSSEC in our Great DNSSEC Panel Quiz. We are looking for
four or five people to join us in a light-hearted quiz.
In addition, we welcome suggestions for additional topics. If you are
interested in participating, please send a brief (1-2 sentence) description of
your proposed presentation. Here are the relevant deadlines:
10 May 2012 — Deadline to submit brief description of presentation
from interested participants
04 June 2012 — Deadline to submit presentation slides
Please respond to This email address is being protected from spambots. You need JavaScript enabled to view it. no later than 10 May 2012 as indicated above. We hope
that you can join us.
Thank you,
Julie Hedlund
On behalf of the DNSSEC Workshop Program Committee:
Luis Diego Espinoza, NIC .cr
Steve Crocker, Shinkuro
Simon McCalla, Director of IT, Nominet UK
Russ Mundy, Cobham
Ondřej Surý, NIC.cz
Lance Wolak, Vice
President, Marketing & Sales, .ORG, The Public Interest Registry
--
Ondřej Surý --
Chief Science Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://nic.cz/
tel:+420.222745110
fax:+420.222745112
-------------------------------------------
.de Domains Pass 15-Million Mark
From 0 to 15 million: How it all began …
About DENIC eG
DENIC and Netnod Team Up for Further Name Service Enhancement of .de
Effective 19 April 2012, German TLD .de operator DENIC and the Swedish-based Internet infrastructure organisation Netnod have entered into a strategic partnership to further strengthen the .de Name Service. By making use of Netnod’s extensive infrastructure to complement DENIC’s own worldwide DNS network, DENIC’s operation of the domain name system for .de, in its role as a crucial resource of the Internet, will be additionally secured.
The new second foothold will further minimise potential risks for the .de zone by integrating Netnod’s additional 35+ locations worldwide, this way allowing for rapid response in the case of a malicious intent. As a surplus benefit, Netnod’s services will provide a significant capacity upgrade.
“We have chosen Netnod for their outstanding technical expertise and fully trust their competence to meet the high level demands associated with the operation of our supplementary name service for .de, which is by far the biggest ccTLD worldwide. Also, both Netnod and DENIC are not-for-profit, neutral, and independent basic infrastructure-providing organisations and share similar strategic positions and views. Therefore, this partnership ideally matches with DENIC’s commitment to provide services of utmost reliability, on a self-regulatory basis,” said Dr. Jörg Schweiger, Member of the Board and CTO of DENIC.
“Netnod is happy to assist DENIC in enlarging their footprint by offering them the shared use of our widespread multi-site anycast infrastructure for full backup support of .de, and thus for the common good of all Internet users. Of course, we are very proud that after having supported a large variety of European ccTLDs for quite some time now, .de as the No. 1 ccTLD has chosen us to be their strategic DNS partner,” said Kurt Erik Lindqvist, CEO of Netnod.
----------------------------------------------------------------------------------
About DENIC
DENIC is responsible for managing .de, Germany’s top-level Internet domain and the world’s second largest Internet registry with 15,000,000+ domain names. Next to running a 17-site worldwide name server network, DENIC provides all domain database and registration system resources for .de and also operates the German ENUM domain (.9.4.e164.arpa), along with all .de and ENUM related whois lookup services. Since its inception in 1996, as a private, not-for-profit cooperative, DENIC’s mission is to fulfil a public purpose by supporting a fast, secure and reliable access to German Internet pages and e-mail addresses, through the excellence of its extensive name server infrastructure and services, on a 24/7 basis. Today, 280+ registrars from the IT and telecommunications industry in Germany and abroad offer .de registration services and support the independent, self-regulatory approach of the cooperative as active members. DENIC is also committed to be a leading force in shaping the continued development of the open, decentralized and secure Internet, in a close collaborative effort with international Internet bodies including ICANN, RIPE, IETF, and CENTR. Based in Frankfurt am Main, Germany, DENIC employs 120 staff and has an annual turnover of EUR15m.Website: http://www.denic.de
Contact: Stefanie Welters, Public Relations Officer, DENIC eG
This email address is being protected from spambots. You need JavaScript enabled to view it.
+49 69 27235-274
About Netnod
Netnod is a not-for-profit, neutral and independent Internet infrastructure organisation, based in Sweden and owned by the TU foundation. Netnod provides DNS anycast and unicast slave services to TLDs worldwide through its highly respected and robust DNSNODE product. Netnod is also the proud operator of i.root-servers.net, one of the thirteen logical DNS root name servers in the world – a critical part of the Internet underlying infrastructure. This service is provided as a public service to the Internet community at-large, as part of Netnod’s goal to work for the “Good of the Internet”. Finally, Netnod operates six exchanges in five different cities in Sweden where Internet operators exchange traffic. The Netnod IX has among the highest amount of traffic per peer in Europe and is fully IPv6 enabled.Website: http://www.netnod.se
Contact: Kurt-Erik Lindqvist, CEO, Netnod
This email address is being protected from spambots. You need JavaScript enabled to view it.
+46 8 56286000
Commercial application of DNSSEC launched in the .UA domain
Kyiv, April 13. Hostmaster, the technical administrator of the .UA domain, completed DNSSEC implementation activities and started using the technology commercially. Today, the international organization ICANN satisfied Hostmaster’s request to make an entry about DNSSEC key for .UA in the root zone of the domain names system (DNS).
This allowed Ukrainian companies to protect their sites from scammers who redirect users to scam sites using loopholes in the DNS. The DNSSEC technology applies digital signatures and guarantees authenticity of domain names.
So far, the technology has been adopted by three companies to protect their sites: RIFT Ltd (Rivne), Netassist (Kyiv), and NIC.UA (Dnipropetrovsk) to ensure safety of the domains rovno.ua, netassist.ua, and nic.ua, respectively.
At the moment, DNSSEC is being used worldwide by more than 70 top level domains (approximately 26% of the total amount), of which 60 are country domains (24%).
The .at Report (1/2012) with DNSSEC World Map included
In February nic.at introduced the security standard DNSSEC for the .at zone - that's why the latest .at report is dedicated to this topic. Although DNSSEC deals with encryption, NIC.at tried to treat the topic as 'unencrypted' as possible!
Find out yourself and explore the DNSSEC world map, take a look behind the scenes of our DNSSEC deployment and meet international DNSSEC pioneers! Furthermore you will get to know how registrars think about DNSSEC and which results the first .at barometer has delivered.
Find the report here:
IETF in Paris: Privacy and Web Identification tussle, Worldv6Launch Day and new things moving into the DNS
Paris saw one of the largest IETF meetings in recent years with over 1400 engineers - and also a few lawyers and policy people – gathered in a busy week. With meeting slots completely filled and additional launch and site meetings added on top, issues discussed between several working groups were the push for authentication and identification on the ever more resourceful web, World v6 Launch day (and the many life-saving efforts or Ipv4) and yet another attempt to use the Domain Name System (DNS) for another new alternative technology, this time for securing BGP routes.
Securing routing with the DNS as an alternative to the „oldie“ Routing PKI (RPKI) was presented as another approach to to make use of the DNS, in fact after challenging Transport Layer Security and its not beloved anymore system of certification authorities with DANE (DNS-based Authentication of Named Entities), it is now RPKI who seems to get competition from the DNSSEC-secured name space. Joe Gersch from the DNSSEC-provider Secure64 and Dan Massey from the University of Colorado, who is an author of some DNSSEC RFCs, presented ROVER – Route Origin Verification. Instead of implementing new infrastructure for the verification of BGP routes, the in-addr.arpa tree could be checked for announcements of IP address blocks.
Once a CIDR-block was announced administrators could query the DNS to see if it it was an authoritative announcment. The only trick necessary according to Gersch and Massey was to marry the eight-bit structure of the DNS with blocks unfitting in that structure. Gersch and Massey presented a proposal for „reverse DNS naming convention for CIDR address blocks“. Currently only complete IP addresses, but not address ranges may be registered under in-addr.arpa. Practically speaking the block 129.82.0.0/16 will be registered as 82.129.in-addr.arpa, the block 129.82.64.0/18 will be registered as 129.82.m.0.1 ( 129.82.m.0.1.0.0.0.0.0.0). In both the DNS and, much more in the RPKI WG of the IETF there were a lot of critical comments, but the DNS WG agreed to allow work to continue on the reverse naming draft despite some experts warning against pursuing ROVER, as it would introduce circular arguments and a bootstrapping problem in case of attacks. (For an evaluation of ROVER by Stephane Bortzmeyer, see his blogpost)
Another topic discussed feverishly is the development of a new IETF standard for Whois in the WEIRDS working group. Beside the number registries that started the discussion, not only a large registry like VeriSign, but also a coming TLD-registry like Google declared its committment to a new Whois.
Web Identity
More and easier to use security options for the ever growing net of web platforms were a topic discussed not only during the Oauth working group of the IETF, but also in the technical plenary, a panel by the ISOC and an additional lunch panel chaired by representatives of the World Wide Web Consortium. The W3C is just about the start its own new WG on Web Cryptography and was very much interested in not add to the growing fragmentation of the Web Identity Space – with the more well-known OpenID and OpenID Connect suite (Google, Yahoo, Microsoft, Facebook), BrowserID (mainly Mozilla), the not widely implemented OASIS SAML suite and smaller initiatives like WebID already competing. Instead the W3C wanted to offer building blocks, with a focus on strong cryptographic tools, Harry Halpin from the W3C said. The differences between Mozilla's Browser ID, that was presented several times by TLS-coauthor Eric Rescorla, and the OpenID Connect approach (which marries Oauth features and classical single sign-on solutions) are blurred, but experts from different sites agree, that BrowserID is somehow optimized to not allow the identity provider to see what the user is doing on the web.
If „the market“ will decide the tussle? At least, US lawyer Wendy Seltzer, representing the W3C, said, standards were desparately needed to avoid that users were compelled by content providers to authenticate via their prefered identity provider. In the US there were newspapers for example that were only available for online subscription if the user came from a Facebook account.
IPv6 – This time it's for real
The IETF leadership is prepared to finally clear the IPv6 related WGs from work that is targeted to extend the lifetime of Ipv4 with an „Ipv4Exit“ WG. In Paris the Ipv6Op WG once more saw a long list of drafts talking Ipv4, and not IPv6. At the same time the Internet Society has announced that the second WorldIPv6 Day (on June, 6th 2012) will be no other test flight, but instead should mark the take off. Several large network providers including Comcast and Time Warner Cable, content providers including Google and Yahoo and hardware companies like Cisco and Dlink announced they would launch IPv6. Network providers participating have to offer IPv6 to every new customer and have to push their IPv6 traffic to at least one percent by June, 6. An observation made by non-US participants at the meeting was that ISOC had not rallied as much support outside of the US.
20 years since Internet came to Estonia
Precisely 20 years ago today Estonia established its first Internet connection with the outside world. Previously people in Estonia could only send and receive e-mails via slow modem connections by making international calls to Finland. Such a solution was both complicated and inadequate because it excluded a wide range of Internet possibilities.
Click for Full Article
AFNIC launches its campaign of calls for support
Following the publication of the calls for applications to manage the 11 top-level extensions in the Official Journal of the French Republic on March 20, 2012, AFNIC has announced his candidacy for the extensions in question and has launched its campaign of calls for support.
AFNIC has successfully acted as the Registry for the .fr (France), .re (Reunion Island),.pm (St. Pierre and Miquelon), .tf (French Southern and Antarctic Territories), .wf (Wallis and Futuna) and .yt (Mayotte) TLDs since 1998.
"The association is particularly committed to extending this unbiased approach, giving each category of stakeholder (registrars, users, private and public sectors) a fair place, while promoting sharing and openness in a non-profit environment," said Jean-Pierre Dardayrol, Chairman of AFNIC. "AFNIC therefore wishes to re-assert its commitment to the French Internet community by applying for the management of the 11 French Internet extensions included in the calls for applications," he added.
Click for full articlePartnership between Nominet and Swedish company OpenDNSSEC
The Swedish company OpenDNSSEC AB (svb), which is operated by .SE (The Internet Infrastructure Foundation), will receive a capital injection of
.uk - fit for the future at 10 million
The .uk registry has now hit over 10 million domains – maintaining its position as the world’s second largest country code registry.
The 10 millionth registration follows on from two years of strong growth in .uk domains.
Nominet is marking this occasion by announcing a major investment in the .uk brand – a particularly important step given the backdrop of a changing landscape of domain names. This work is focused on growing the market and driving growth in .uk by delivering and building a compelling .uk brand story for businesses and consumers. A marketing campaign, set to roll out from May this year, will include a dedicated .uk website.
Click to read full article