International politics slows full deployment of DNSSEC

A growing number of generic top-level domains, including .gov and .org, are deploying DNS Security Extensions to help ensure the reliability of the Domain Name System. But full deployment of the extensions is moving at a glacial pace. Part of the problem is the complexity of managing the cryptographic keys used to sign DNS data and authenticate queries and responses. But one Commerce Department official said another part of the problem is international concern about the United States controlling the Internet. In many cases, the challenges faced are diplomatic rather than technical. The official likened the process of bringing the international community on board to herding cats.

Commerce has put much of the job of managing the Internet into the hands of the Internet Corporation for Assigned Names and Numbers, a nonprofit organization formed for that purpose. But Congress is unwilling to give up its oversight of a network the Defense Department originally created, and that worries some who see the Internet as a global resource.
Individual entities can handle many aspects of Internet security at the endpoints. But because DNS underlies virtually all Internet activity, securing it effectively is best done at a higher level. Hopefully, deploying DNSSEC won’t prove to be as challenging as achieving peace in the Middle East.

Source: Government Computer News, By William JacksonJun 25, 2009 Retrieved from gcn.com/articles/2009/06/29/cybereye-box-dnssec-politics.aspx

BIND 10 Set to Update DNS - Work is now underway for a major rewrite of the popular, open source DNS tech.

"DNS Security Extensions (DNSSEC) is a critical part of the BIND 9.x server, though DNSSEC itself is not yet widely deployed. DNSSEC offers a mechanism for digitally signing a domain name to ensure its authenticity. The technology has been widely hailed as the ultimate solution to the Kaminsky DNS flaw.

However, among the major top-level domains, currently only .org is now signed for DNSSEC. In BIND 10, a key goal is to make it easier for DNS administrators to actually manage DNSSEC. Kerr said it'll do that by improving usability.

"There is a lot of missing functionality for DNSSEC, such as full automation of DNSSEC," he said.
Kerr explained that with BIND 10, it may be as simple as clicking the "sign this zone" button on the administration interface to implement DNSSEC.

It will also provide handholding to admins in other ways.

"BIND 10 might warn administrators when signatures are soon to expire, or indeed have expired," Kerr said.

Release date?

In terms of timing for the actual BIND 10 release, Kerr said that the first deliverable is an authoritative-only server, which is scheduled to be delivered a year from now. "We expect the total development to take five years, at which point the software will enter maintenance as a relatively mature product," Kerr said.

The challenges in building the new BIND 10 server are as much about the new technology as it is in keep existing BIND 9 users happy.

"BIND 9 is the most successful piece of DNS software ever written," Kerr said. "ISC needs to insure that BIND 9 users are happy until BIND 10 is ready to replace it. This means there is a tension between improving the 'old' product and working on the 'new' one."

"One of the goals of BIND 10 is that it will be a 100 percent drop-in replacement for BIND 9, but there is always resistance to change in the computer world," he added.

Source: Sean Michael Kerner, Retrieved on June 11, 2009 from internetnews.com/infra/article.php/3824651/BIND%2010%20Set%20to%20Update%20DNS.htm

DNSSEC: What Means for DNS Security It and Your Network

Infoblox Webinar - Presentation- Dan Kaminsky, Scott Rose and Cricket LiuJune 10, 2009

ICANN Calls on UK and Global Broadband ISPs to Adopt DNSSEC

The Internet Corporation for Assigned Names and Numbers (ICANN), which manages the Domain Name System (DNS), has called on ISPs around the world to start moving towards adoption of Domain Name System Security Extensions (DNSSEC). DNS translates IP addresses into human readable form (e.g. 87.106.143.49 becomes ISPreview.co.uk) but it is flawed, which can result in legitimate website addresses being diverted to malicious sites by hackers.

To solve this problem DNSSEC was developed, which uses a combination of encryption, origin authentication of DNS data, data integrity and authenticated denial of existence checks to prevent hackers from easily being able to hijack websites and domains from legitimate servers. It won't stop Distributed Denial of Service (DDoS) attacks, where a server is bombarded by masses of requests and ultimately crashes, but it will prevent most current hacks.

This is clearly a very important step towards making the Internet more secure. However ICANN admits that without support from both ISPs and application developers around the world then it may not succeed. ICANN is now pushing for full adoption of DNSSEC but notes that it will initially result in a two-tier Internet between users of secure and unsecure platforms:
The CEO of ICANN, Paul Twomey, told ZDNet UK : "[IT IS] important to get the application-layer community involved and to recognise that DNSSEC should move through all applications.

It's going to take some time to deploy and further discussions, as there are a lot of implementation issues for ISPs in how they support DNSSEC. [USERS] will have to have access to both signed and unsigned roots. It's not like we can turn DNSSEC on tomorrow."DNSSEC itself is nothing new and ICANN has reportedly been pushing for it since 2005, although political squabbles over who manages the Internet have held up progress. Happily agreements have now been reached and ICANN are finally in a position to push forward, although much like moving to IPv6 - it could still take many years to fully deploy.

To the average broadband consumer this will seem like little more than techno-babble that has no bearing on their experience. In reality it's a bit like putting an immobiliser and alarm in a car that previously had neither.

Source: MarkJ, ICANN Calls on UK and Global Broadband ISPs to Adopt DNSSEC, Retrieved on 9 June, 2009 from ispreview.co.uk/story/2009/06/09/icann-calls-on-uk-and-global-broadband-isps-to-adopt-dnssec.html

.org TLD Signed with DNSSEC

Internet infrastructure services and domain name registry technology provider Afilias (http://www.afilias.info/) has signed the .org zone with domain name security extensions for the Public Interest Registry (http://www.pir.org/), the company behind the .org top-level domain name, effectively making it the first open TLD to fight DNS hijacking using DNSSEC.