Search DNSSEC Blog


Friday, January 22, 2010

80% of government Web sites miss DNS security deadline

Most U.S. federal agencies -- including the Department of Homeland Security -- have failed to comply with a Dec. 31, 2009, deadline to deploy new authentication mechanisms on their Web sites that would prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

Agencies were required to roll out an extra layer of security on their .gov Web sites under an Office of Management and Budget mandate issued in August 2008, although at least one expert calls that yearend deadline "a little aggressive."

Aggressive or not, independent monitoring indicates that only 20% of agencies show signs of deploying this new security mechanism, which is called DNS Security Extensions, or DNSSEC for short.

Source: Carolyn Duffy Marsan, IDG News Service, Retrieved on January 21, 2009 from

Thursday, January 14, 2010


Information about DNSSEC for the Root Zone

This website contains announcements, releases and other pertinent information about the deployment of DNSSEC for the root zone.

DNSSEC for the root zone is a joint effort between ICANN and VeriSign, with support from the U.S. Department of Commerce.

Planned High Level Timeline

* December 1, 2009: Root zone signed for internal use by VeriSign and ICANN. ICANN and VeriSign exercise interaction protocols for signing the ZSK with the KSK.
* January, 2010: The first root server begins serving the signed root in the form of the DURZ (deliberately unvalidatable root zone). The DURZ contains unusable keys in place of the root KSK and ZSK to prevent these keys being used for validation.
* Early May, 2010: All root servers are now serving the DURZ. The effects of the larger responses from the signed root, if any, would now be encountered.
* May and June, 2010: The deployment results are studied and a final decision to deploy DNSSEC in the root zone is made.
* July 1, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available.

Please note that this timeline is tentative and subject to change based on testing results or other unforeseen factors.

Get more info at

Monday, January 11, 2010

Deploying and Monitoring DNS Security (DNSSEC)

"Abstract—SecSpider is a DNSSEC monitoring system that
helps identify operational errors in the DNSSEC deployment
and discover unforeseen obstacles. It collects, verifies, and
publishes the DNSSEC keys for DNSSEC-enabled zones, which
enables operators of both authoritative zones and recursive
resolvers to deploy DNSSEC immediately, and benefit from its
cryptographic protections. In this paper we present the design
and implementation of SecSpider as well as several general
lessons that stem from its design and implementation."

Paper: Deploying and Monitoring DNS Security (DNSSEC) (PDF)

We Are Spreaking on DNSSEC @ RSA 2010 - Save $200 on Registration With Cupon

Want $200 off your RSA 2010 Conference registration? Enter the following discount code: PRMSO3616GBJ (5 left)