Search DNSSEC Blog


Thursday, February 26, 2009

FOSE 2009

Companies to Showcase over 115 New Products at FOSE 2009

FALLS CHURCH, Va. — FOSE 2009, the most comprehensive event for government information technology (IT) professionals, today announced that it will have over 115 new products and solutions on display at this year’s event. Scheduled for March 10-12, 2009 at the Walter E. Washington Convention Center in Washington, DC, FOSE is the largest trade show for government technology professionals.

An example of the technology solutions that will be displayed on the show floor, include:

ScienceLogic will showcase its EM7 Meta-Appliances solution, which helps government agencies to cut through the complexity of IPv6 deployment and management by discovering IPv6 networks and devices. Out-of-the-box, EM7 provides the real-time statistics, alerts, and historical trending information necessary to proactively monitor the IPv6 infrastructure and optimize the performance and availability of mission-critical government IT operations.

Secure64 Software will exhibit its Secure64 DNS Signer, the first Domain Name System (DNS) Security Extensions (SEC) key management and zone signing software that makes DNSSEC easy to implement and completely secure. By fully automating DNSSEC key generation, key rollover, zone signing, and re-signing processes, DNS Signer reduces deployment and administration costs while eliminating errors that can cause domains to become unavailable.

Security Engineered Machinery Company will present the SEM Model 0101 Hard Drive Crusher. At the touch of a button, this unit unleashes 12,000 pounds of controlled force to a conical punch causing catastrophic trauma to the hard drive chassis while destroying the internal platter. The SEM Model 0101 is capable of physically destroying up to three laptop hard drives in less than 10 seconds.

Source: Centre Daily Times, Retrieved on 02/26/09 from

Tuesday, February 24, 2009

Forgetting The User, Again.

Just like users can be fooled into trusting fraudulent SSL-enabled Web sites, they could be fooled into trusting fraudulent hosts. User interaction is just as important as the technical deployment specifications, yet little work is being done on that front.

If DNSSEC will actually be useful for users, a few things need to occur:

1. Browser vendor should agree on a consistent method to display the status of DNSSEC to the user in an unambiguous and clear manner. Even something as a text representation of "Authenticated Host" or something like that.

2. Web sites that are known to contain sensitive information or activity like financial institutions, online retailers, health care providers, and other entities that should have a higher standard of trust, should be required -- through regulation or best practice -- to use DNSSEC. If bank A uses DNSSEC and you get a DNS response that is not signed, the user should know that is a potential problem. But a user shouldn't have to keep track of which banks use DNSSEC and which don't.

3. The sites using DNSSEC and any organization demanding the use of DNSSEC should work together to educate users on what to look for in a signed response and clearly indicate the conditions where an unauthenticated response to a name should not be trusted.

Users can make the right decisions if they are given the right information. That is just as difficult as figuring out how to generate the response in the first place.

Full article: Mike Fratto, "DNSSEC: Forgetting The User, Again.", Retrived on Feb 24, 2009 from

Wednesday, February 18, 2009

Debian 5's Five Best Features

Despite delays and internal arguments, Debian 5, Lenny, has finally arrived, and it's a darn nice Linux distribution.

You don't have to take my word for it. Consider what Warren Woodford, the well-regarded Linux developer, who uses Debian for the foundation of his SimplyMEPIS Linux distribution, has to say. Woodford, who switched MEPIS' cornerstone distribution from Ubuntu to Debian in 2007, said, "Behind the scenes, MEPIS is being used more and more in demanding environments, so I was happy the Debian teams decided to use the hardening features in gcc to increase the security of Debian in Lenny." Woodford added, "I know a lot of our users were happy that Debian decided to continue supporting KDE 3.5. They like what they have and don't want to be forced to learn the KDE 4 look and feel."

Even when Debian doesn't get it quite right, from where Woodford sits, he still praises Debian for making it easy to add features. "I think it would have been good for Debian if they could have bent their "freeze" rules and included Bind 9.6 [Berkeley Internet Name Domain-the program that runs the Internet's master address system: DNS (Domain Name System)]. But thanks to the flexibility of using a the Debian core, it was easy for us to add Bind 9.6 to MEPIS 8.0 for users who need to comply with the US OMB (Office of Management and Budget) mandate for DNSsec (DNS security extensions) support." Read more...

Tuesday, February 17, 2009

Interim Trust Anchor Repository "Beta"

IANA provides an Interim Trust Anchor Repository to share the key material required to perform DNSSEC verification of signed top-level domains, in lieu of a signed DNS root zone. This is a temporary service until the DNS root zone is signed, at which time the keying material will be placed in the root zone itself, and this service will be discontinued.

What is the ITAR for?
The Interim Trust Anchor Repository, or ITAR, acts as a mechanism to disseminate "trust anchors" that have been provided by the operators of top-level domains who use DNSSEC to secure their zones. IANA is responsible for managing the DNS root zone, and uses these existing trust relationships to verify the supplied trust anchors come from the correct party. The system is considered interim as it is designed to be deprecated once the DNS root zone itself is signed with DNSSEC.

What is a Beta?
This is a preliminary testing version of the service for the community to try. We will take feedback and improve the product before it is considered fully production ready. In particular, we appreciate feedback on problems that occur, as well as features that could be added to make the service more useful. You can send any comments on this beta to

Who may submit trust anchors?
This repository is limited to trust anchors for top-level domains. Top-level domain operators who have DNSSEC-signed their zones may use this service. The IANA contacts for a domain must cross-verify their intent to publish anchors before they will be accepted by IANA into the ITAR, so third parties are not able to submit trust anchors without their consent.

How is this connected to IANA's DNSSEC test bed?
This is a different project. The IANA DNSSEC test bed offers a signed DNS root zone (see Trust anchors supplied to the ITAR, however, will be used for the DNSSEC test bed.

How can I download the trust anchors?
The trust anchor formats are distributed either via HTTP (above), Rsync (rsync://, and FTP ( We also provide a digest of the file, and a PGP signature, to help verify the contents. During initial testing were are using a PGP key with ID 81D464F4.

Why does the repository contain DS records, rather than DNSKEY records?
The trust anchor repository is designed to replicate the same trust information that would be stored in the DNS root zone, if the DNS root zone were signed. Therefore, we store the DS records from top-level domains. Recognising that some DNS validating resolver implementations do not accept DS records as configurable trust anchors, we have provided a tool that can convert DS records to DNSKEY records if you require that.

How can I get announcements relating to ITAR?
We have set up an ITAR announcement mailing list. You can subscribe at We will post significant announcements here, as well as any advisories such as key revocations.

Please contact us at with any questions or comments.

Monday, February 16, 2009

How to deploy DNSSEC on the Windows Server 2008 R2 and Windows 7 operating systems

Brief Description

This guide provides an overview of Domain Name System (DNS) Security Extensions (DNSSEC) and information about how to deploy DNSSEC on the Windows Server 2008 R2 and Windows 7 operating systems.


DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified by the Internet Engineering Task Force (IETF) in RFCs 4033, 4034, and 4035, with additional RFCs providing supporting information.

System Requirements

Supported Operating Systems: Windows 7; Windows Server 2008


Tuesday, February 10, 2009

DNSSEC News: U.S. misses DNS security deadline

The federal government missed its first deadline for rolling out DNS security mechanisms on its .gov top-level domain. Federal officials now say they will cryptographically sign .gov by the end of February, one month behind their original schedule.

Federal agencies were required to deploy DNS Security Extensions (DNSSEC) on the .gov top-level domain by January 2009 and on all sub-domains by December 2009 under an Office of Management and Budget (OMB) mandate issued last year.

DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

DNSSEC is the only foolproof way to prevent cache poisoning attacks, where a hacker redirects traffic from a legitimate Web site to a fake one without the user knowing. These attacks are a result of a significant DNS flaw known as the Kaminsky Bug, which was discovered this summer.

The U.S. General Services Administration (GSA) said Monday that it will deploy DNSSEC on .gov by the end of February. Read more...

Saturday, February 7, 2009

Secure64 DNS Signer Demo

A 4-1/2 minute screencast demo showing how to deploy DNSSEC

Tuesday, February 3, 2009

NIST Purchases Secure64 Software to Secure DNS Infrastructure

Secure64 Software Corporation announced today that the National Institute of Standards and Technology (NIST) has purchased the company's DNSSEC software - Secure64 pDNS Signer - the first DNSSEC signing software that's easy to implement, so organizations can deploy DNSSEC quickly, safely and correctly. more info