.eu plans to support DNSSEC

Brussels, 28 October 2009 - EURid is pleased to announce that all .eu
accredited registrars now have access to a .eu DNSSEC testbed.
Providing this access is the first step in .eu support for Domain
Name System Security Extensions (DNSSEC), a protocol that is intended
to make the domain name system more secure.

The testbed will help EURid understand the technical demands of
running the NSEC3 version of DNSSEC in combination with dynamic
updates. It will also help the registry evaluate response times and
measure the performance of zone file generation in the specific .eu
environment. Finally, it will help EURid learn more about certain
administrative processes required by DNSSEC. That includes the
recalculation of signatures during a process which is known as key
roll over.

"We want to work closely with our registrars to find out the best way
to launch DNSSEC together to benefit .eu users," comments Marc Van
Wesemael, EURid General Manager. "At this time, few top-level domain
registries offer DNSSEC support. We encourage all in the community to
help Internet users by embracing DNSSEC." 

Full Article

Source: Retrieved on October 28, 2009 from pr-inside.com/eu-plans-to-support-dnssec-r1551606.htm

ICANN Wants To Fast Track Non-Latin Character Domain Names

You may soon see URLs with Arabic characters and other non-Latin letters. The Internet Corporation for Assigned Names and Numbers is pushing a proposal to include Internationalized Domain Names that have native language scripts.

ICANN's IDN initiative, which has been in the works for several years, was presented Monday at the ICANN board meeting in Seoul, Korea, this week. The proposed launch date for the IDN ccTLD (country-code Top Level Domains) Fast Track Process is Nov. 16.

The move is centered on the increasing growth among global Internet users who do not use Latin-based characters, such as in Chinese, Korean and Arabic languages. A copy of ICANN's proposed rules regarding criteria for participation eligibility, language, technical script criteria and more can be found here.

"This is an extremely important meeting for ICANN, since the IDN program is moving one step closer to reshaping the global Internet landscape," said Rod Beckstrom, ICANN president and CEO, in a statement. "In Seoul, we plan to move forward to the next step in the internationalization of the Internet, which means that eventually people from every corner of the globe will be able to navigate much of the online world using their native language scripts."

At the meeting, ICANN also is discussing Generic top-level Domains (gTLDs), which are the end portion of an Internet address name, such as ".com" or ".org" and are not associated with any specific country. The organization said it is developing a new program in which the number of gTLDs will eventually be expanded from its current list of 21 to include almost any word, in almost any language. ICANN is calling for comments about gTLDs. A third draft of a proposed rules and procedures of applying for a new gTLD can be found here.

Internet security issues concerning the domain name system (DNS) are also being addressed at the meeting, ICANN said in a statement, and pointed to the recent Conficker worm threat.

"The threat was met with an unprecedented collaboration between ICANN and top security experts from Microsoft, Symantec and dozens of other companies, software vendors and organizations dedicated to preserving the security and stability of the Internet," ICANN said. "The Seoul meeting will afford an opportunity for security experts to share updates on DNS Security (DNSSEC)."

Source: Michele Masterson, ChannelWeb, "ICANN Wants To Fast Track Non-Latin Character Domain Names", Retrived on October 27, 2009 from crn.com/networking/220900683;jsessionid=VPNQSQE5GLJQBQE1GHRSKHWATMY32JVN

Internationalization of the Internet Takes Center Stage at ICANN Seoul Meeting

A program that is expected to make the Internet far more accessible to millions of people in regions such as Asia and the Middle East will be one of the central topics of ICANN’s 36th International Public Meeting in Seoul, October 25-30, 2009.

ICANN’s Board of Directors is scheduled to review an historic measure that could bring initial limited use of Internationalized Domain Names (IDNs) to the Internet before the end of the year. IDNs allow the use of non-Latin based language characters in the entire Internet address, which is expected to vastly increase the number of Internet users in global regions where languages such as Chinese, Korean or Arabic are spoken.

“This is an extremely important meeting for ICANN, since the IDN program is moving one step closer to reshaping the global Internet landscape,” said Rod Beckstrom, ICANN’s President and CEO. “In Seoul, we plan to move forward to the next step in the internationalization of the Internet, which means that eventually people from every corner of the globe will be able to navigate much of the online world using their native language scripts.”

Some of the other major issues to be raised at the Seoul meeting include:

The Affirmation of Commitments: The Seoul meeting occurs only three weeks after ICANN and the U.S. government signed an “Affirmation of Commitments.” The agreement endorses ICANN’s rapid adoption of IDNs. It also supports ICANN’s bottom up global stakeholder model of governance and policy formation and helps guarantee that the organization is globally accountable. The Affirmation succeeds the so-called “Joint Project Agreement” between ICANN and the U.S. Department of Commerce, which called for annual reviews to be submitted to the U.S. government. Those accountability reviews will now go to the global ICANN community. To view a video of Rod Beckstrom’s comments on the Affirmation of Commitments, please click here. You can embed this video on your Web site by clicking the “Get Code” button.

Generic top-level Domains: gTLDs are the end portion of an Internet address name, such as “.com” or “.org” and are not associated with any specific country. Under a new developing program, the number of gTLDs will eventually be expanded from its current list of 21 to include almost any word, in almost any language. The third draft of a proposed “Applicant Guidebook,” which spells out the rules and procedures of applying for a new gTLD, has just been published, and the Seoul meeting will afford participants a prime opportunity to discuss the latest draft. Please click here to review the Applicant Guidebook.

Internet Security: Cyber-security threats are always evolving and changing and the threat to the domain name system (DNS) is always increasing, as the world saw several months ago with the threat from the Conficker worm. The threat was met with an unprecedented collaboration between ICANN and top security experts from Microsoft, Symantec and dozens of other companies, software vendors and organizations dedicated to preserving the security and stability of the Internet. The Seoul meeting will afford an opportunity for security experts to share updates on DNS Security (DNSSEC).

All interested journalists are encouraged to attend the ICANN meeting in Seoul at the Lotte Hotel (1, Sogong-dong, Jung-gu Seoul, Korea 100-721), October 25-28, 2009. All meetings are open to the public. Registration is free and reporters will have access to the Internet via ICANN’s free WiFi system. Media kits will be available at the “Media Desk” near the main registration area.

You can find out everything you need to know about the Seoul meeting here: http://sel.icann.org/

Source: BusinessWire, "Internationalization of the Internet Takes Center Stage at ICANN Seoul Meeting". Retrieven on October 22, 2009 from yachtchartersmagazine.com/node/1154734

US Department of the Interior To Use Secure64 DNSSEC Appliance

The US Department of the Interior has purchased Secure64 Software Corporation's DNS Signer product to meet the Office of Management and Budget's December 2009 mandate that requires all federal agencies to add Domain Name System Security Extensions (or DNSSEC).
The Department of Interior is the latest in a growing list of government agencies that has selected Secure64 DNS Signer, according to its Wednesday announcement. With DNS responsible for translating between host names and IP addresses on Internet-connected systems, the OMB issued a mandate that all federal agencies must implement DNSSEC by December 2009 as part of its cyber security strategy.

"DOI required a solution able to sign for the entire department, including all component bureaus and offices, so scalability was a factor in our decision," Department of Interior chief technology officer William Corrington said in a statement. "Even more importantly, we needed an automated product with the highest level of security to prevent signature forging. We selected Secure64 DNS Signer because it met all of our requirements and successfully completed a pilot deployment in three days."

In addition to managing the natural resources of the US, Secure64 chief executive officer and director Steve Goodbarn said DOI has been prepared for natural disasters, such as floods, wildfires, and earthquakes. "The resiliency of their Internet communications is critical to meet these missions and the department has taken a leadership role in deploying an efficient and reliable IT architecture," Goodbarn said in a statement. "We are proud to be part of these efforts and to enable reliable, timely, and cost-effective deployment of DNSSEC."

Source: "US Department of the Interior To Use Secure64 DNSSEC Appliance", David Hamilton, Retrieved on October 21, 2009 from thewhir.com/web-hosting-news/102109_US_Department_of_the_Interior_To_Use_Secure64_DNSSEC_Appliance

First root server provides a DNSSEC-signed zone as of December 1st

"Joe Abley of ICANN and VeriSign manager Matt Larson announced, at the 59th meeting of the "Réseaux IP Européens" (RIPE) in Lisbon, that, starting on the 1st of December, the central root zone of the Domain Name System (DNS) will be signed, deploying the DNS Security Extensions (DNSSEC) protocol, which has been discussed for years. However, the signed root zone will be distributed only gradually to a total of 13 root servers, while the public key is slated for distribution starting on the first of July, 2010. Responses cannot actually be validated until then. DNSSEC is designed to ensure that responses to DNS requests only come from authorised servers.

Ever since security expert Dan Kaminsky showed how easy it was to falsify such responses and deceive users issuing requests, experts have been under pressure to introduce DNSSEC. The US Department of Commerce released the date of the accelerated implementation, and also decided that VeriSign and ICANN should work together to sign the root zone.

Attendees at RIPE welcomed the news that DNSSEC was finally being deployed. Olaf Kolkman of Nlnet Labs called the gradual approach, "smart". Abley explained that the decision to proceed gradually was intended to prevent DNS from buckling under the load of the anticipated huge number of responses to root server requests. He said that, it is important to observe how many servers on the net re-route the signed responses and use unsigned variants whenever a root server provides the signed zone.

The design choice of a 1024 bit RSA root zone key, rather than the longer 2048 bit key, may have also been due to the ambitious deployment date. The zone will be signed with NSEC instead of the next generation NSEC3 standard. Because it is valid for only four months, the chosen key should be adequate, despite directives from US authorities to migrate to longer keys. The master key, however, will use the longer variant (2048 bit RSA). That key will only be changed every two to five years.

In recent months, increasing numbers of ccTLD managers have announced plans to sign their zones with DNSSEC. Most recently, the Swiss .ch and .li registry switch announced the change to DNSSEC. At the RIPE meeting in Lisbon, Sara Monteiro of the FCCN .pt registry, said that she was just months away from DNSSEC signing. DeNIC, on the other hand, recently started a two-year trial programme. The more dense the DNSSEC chain becomes, the more secure it will be. However, experts expect some drawbacks as well; especially domains that cannot be accessed because responses are not signed on time."

Source: h-online.com/security/First-root-server-provides-a-DNSSEC-signed-zone-as-of-December-1st--/news/114416

DNSSEC Deployment Heads North

The .ca Canadian country code domain opens up a DNSSEC testbed

"TORONTO -- The global movement toward a more secure DNS infrastructure has gained another convert. The dot ca (.ca) country code Top Level Domain (ccTLD) now has an open public DNSSEC testbed to help secure the more than 1.2 million domains it manages.

The move was formally announced at the SecTor security conference underway in Toronto.

The move by dot ca places it in good company, joining other top level domains like .org in beginning to prove out and test DNSSEC in its infrastructure. Moving to DNSSEC on a global basis is a key security effort that could ultimately make the Internet safer for all.

DNSSEC provides cryptographic authentication of DNS information to ensure integrity and authenticity. The need for better DNS security became a big IT issue in mid-2008 when the Internet was rocked by the revelation that the Domain Name System (DNS), one of the core infrastructures of the Internet, was vulnerable to cache poisoning attack.

Vendors rushed out patches to the DNS vulnerability, although experts have suggested that DNSSEC is the ultimate solution to the problem. DNSSEC is a technology that has been available since at least 2004, but it is only now that adoption is growing.

Norm Ritchie, CIO of the Canadian Internet Registration Authority (CIRA), told the SecTor audience that now is the right time to test out DNSSEC. Ritchie noted that other countries and top-level domains are now testing it out and there is a lot of momentum in the global networking community for the effort.

According to Ritchie, the goal of the dot ca DNSSEC testbed is to get feedback on the process and the system ahead of a full scale deployment sometime in 2010.

The dot ca testbed is now in what Ritchie described as a 'friends and family' phase for all interested parties. Ritchie was hoping that those in the SecTor audience would be among the interested parties.

CIRA is using the services of DNSSEC vendor Xelerance in its testbed. Paul Wouters of Xelerance explained to attendees how both simple and complex it can be to actually get a dot ca domain ready for DNSSEC.

For users to enable their PCs and networks to accept DNSSEC secured domains, Wouters explained that all users need to do is to point to a DNSSEC activated DNS resolver. Wouters added that for the SecTor wireless network, such a DNS resolver was in place, meaning users were already benefiting from any DNSSEC protected domains.

For domain holders and DNS administrators, the process is a little more involved. Wouters said that with open source BIND DNS version 9.6 or higher, there are included tools to help users generate DNSSEC encryption keys.

Once a key has been generated, the user must visit the CIRA DNSSEC testbed site and manually activate the key on the dot ca servers.

While the process might seem straightforward, Wouters warned that there are risks.

"The problem with DNSSEC is if you make a mistake, your domain is gone," Wouters said. "So we've added a domain check procedure to make sure everything is okay." "

Source: Sean Michael Kerner, DNSSEC Deployment Heads Northm October 7, 2009, from internetnews.com/security/article.php/3842711/DNSSEC+Deployment+Heads+North.htm

Labor Employs Secure64 DNS Signer Department-Wide to Meet OMB Mandate

"DENVER, Oct. 6 /PRNewswire/ -- Secure64 Software Corporation announced today that the U.S. Department of Labor has purchased the company's Secure64 DNS Signer product to meet the OMB DNSSEC implementation mandate and increase security of its Internet infrastructure, including DNS services. The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the correct operation of any Internet enabled device. The six figure contract was purchased on the SEWP government contract through Secure64 partner Alvarez & Associates, a leading IT systems integrator for the federal government.

Secure64 DNS Signer is a software product that fully automates Domain Name System Security Extensions (DNSSEC) key generation, key rollover, zone signing and re-signing processes. It reduces deployment and administration costs while eliminating errors that can cause domains to become unavailable. The software also scales to extremely large, dynamic environments by safely keeping DNSSEC signing keys online while providing incremental zone signing and extremely high signing performance.

DNSSEC adds a critically needed level of trust to the Internet by allowing users to know with certainty that their Internet-based communications such as web site visits, email correspondence and even SSL and VPN sessions actually connect to the parties they intend to reach. DNSSEC thwarts attacks such as pharming, cache poisoning and DNS redirection that have been used to commit fraud, distribute malware, or steal personal or confidential information. Due to its importance, the United States Office of Management and Budget issued an OMB mandate that all federal agencies must implement DNSSEC by December 2009.

For more information about DNSSEC, Secure64 DNS Signer and Secure64 DNS Authority, visit www.secure64.com."


Source: PR Newswire, Retrived on October 6, 2009 from in.sys-con.com/node/1133287