← Older revision
Revision as of 18:47, 28 September 2012
(3 intermediate revisions by one user not shown)
Line 25:
Line 25:
The DNSSEC mechanism of authentication of communication between hosts is fulfilled by means of [[TSIG]]. More specifically, the [[TSIG]] is used to securely authenticate the transactions between the name servers and the resolver. The DNSSEC mechanism of establishing authenticity and data integrity is achieved by means of: new RRs, signing a single zone, building a trust chain and by means of [[key rollers]] or [[key exchange]].
The DNSSEC mechanism of authentication of communication between hosts is fulfilled by means of [[TSIG]]. More specifically, the [[TSIG]] is used to securely authenticate the transactions between the name servers and the resolver. The DNSSEC mechanism of establishing authenticity and data integrity is achieved by means of: new RRs, signing a single zone, building a trust chain and by means of [[key rollers]] or [[key exchange]].
+
+
===DNSSEC Deployment Statistics===
+
Based on ICANN's TLD DNSSEC Report, 95 TLDs out of the 313 TLDs in the DNS root zone were already signed with the DNSSEC protocol while 86 TLDs have trust anchors published in the root zone, which means they are DNSSEC compatible.
[http://stats.research.icann.org/dns/tld_report/ TLD DNSSEC Report (2012-05-03)]
==DNSSEC and ICANN==
==DNSSEC and ICANN==
[[ICANN]] is one of four entities that is a part of the DNSSEC process, it is responsible for receiving and inspecting the information from the [[TLD]] operators. These actions are perfomed in conjunction with:
[[ICANN]] is one of four entities that is a part of the DNSSEC process, it is responsible for receiving and inspecting the information from the [[TLD]] operators. These actions are perfomed in conjunction with:
−
*
[[NTIA|The National Telecommunications and Information Administration]] (NTIA), which is a division of the U.S. [[DOC|Department of Commerce]], and is responsible for authorizing changes to the [[Root Zone|root zone]].
+
#
[[NTIA|The National Telecommunications and Information Administration]] (NTIA), which is a division of the U.S. [[DOC|Department of Commerce]], and is responsible for authorizing changes to the [[Root Zone|root zone]].
−
*
[[Verisign]], which is contracted by the U.S. government to edit the root zone with the information supplied and authenticated by [[ICANN]], which is subsequently authorized by the Department of Commerce, and also to distribute the root zone file containing information on where to find info on [[TLD]]s
+
#
[[Verisign]], which is contracted by the U.S. government to edit the root zone with the information supplied and authenticated by [[ICANN]], which is subsequently authorized by the Department of Commerce, and also to distribute the root zone file containing information on where to find info on [[TLD]]s
−
*
An international group of [[Root Service Operators]]
then
distributes root information from the root zone file across the Internet. Those groups are:
+
#
An international group of [[Root Service Operators]]
that
distributes root information from the root zone file across the Internet. Those groups are:
−
#
[[Verisign]] Global Registry Services
+
*
[[Verisign]] Global Registry Services
−
#
[[Information Sciences Institute]] at USC
+
*
[[Information Sciences Institute]] at USC
−
#
[[Cogent Communications]]
+
*
[[Cogent Communications]]
−
#
[[University of Maryland]]
+
*
[[University of Maryland]]
−
#
[[NASA Ames Research Center]]
+
*
[[NASA Ames Research Center]]
−
#
[[Internet Systems Consortium Inc.]]
+
*
[[Internet Systems Consortium Inc.]]
−
#
U.S. [[DOD Network Information Center]]
+
*
U.S. [[DOD Network Information Center]]
−
#
[[U.S. Army Research Lab]]
+
*
[[U.S. Army Research Lab]]
−
#
[[Autonomica/NORDUnet]], Sweden
+
*
[[Autonomica/NORDUnet]], Sweden
−
#
[[RIPE NCC]], Netherlands
+
*
[[RIPE NCC]], Netherlands
−
#
[[ICANN]]
+
*
[[ICANN]]
−
#
[[WIDE Project]], Japan
[http://www.icann.org/en/announcements/dnssec-qaa-09oct08-en.htm ICANN explains DNSSEC]
+
*
[[WIDE Project]], Japan
[http://www.icann.org/en/announcements/dnssec-qaa-09oct08-en.htm ICANN explains DNSSEC]
On January 27th, 2007 deployment of DNSSEC for the root zone officially started; it was undertaken by [[ICANN]] and [[Verisign]], with support from the U.S. Department of Commerce.
[http://www.circleid.com/posts/20100127_icann_begins_public_dnssec_test_plan_for_the_root_zone/ Circle ID]
Details of the root signature can be found on the [http://www.root-dnssec.org/ Root DNSSEC's website].
On January 27th, 2007 deployment of DNSSEC for the root zone officially started; it was undertaken by [[ICANN]] and [[Verisign]], with support from the U.S. Department of Commerce.
[http://www.circleid.com/posts/20100127_icann_begins_public_dnssec_test_plan_for_the_root_zone/ Circle ID]
Details of the root signature can be found on the [http://www.root-dnssec.org/ Root DNSSEC's website].
Line 50:
Line 53:
At the [[ICANN]] meeting in Brussels later that month there was an overwhelming response from companies who had implemented, or were supporting the new protocol.
[http://www.securityweek.com/dnssec-becomes-reality-today-icann-brussels Security Week]
At the [[ICANN]] meeting in Brussels later that month there was an overwhelming response from companies who had implemented, or were supporting the new protocol.
[http://www.securityweek.com/dnssec-becomes-reality-today-icann-brussels Security Week]
−
During the [[ICANN 43]] meeting in Costa Rica, a half-day was devoted to DNSSEC discussion. [[Ram Mohan]], Executive Vice President of Business Operations and Chief Technology Officer at [[Afilias]], wrote in his blog that "the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment." His statement was based on his assessment during the DNSSEC session in Costa Rica. He cited the [[.se]] ccTLD as example wherein Staffan Hagnel, a pioneer ccTLd operator in Sweden, said that 172,000 domain names adopted DNSSEC overnight after his offering 5% discount to registrars. He plans to increase the discount to 7.5% to reach 350,000 domain names by the end of 2012. During the discussion, the ICANN community also learned about the experiences of
the
companies implementing the DNSSEC protocol. Comcast noted that consumers do not have enough knowledge about DNSSEC while Bill Smith, representative from PayPal said that it took the company a lot of planning and preparation to deploy the DNSSEC across its 1,100 domain names. He perceived that the next challenge is to create an effective key rollover strategy.
[http://www.circleid.com/posts/20120405_slowly_cracking_the_dnssec_code_at_icann_43/ Slowly Cracking the DNSSEC Code at ICANN 43]
+
During the [[ICANN 43]] meeting in Costa Rica, a half-day was devoted to DNSSEC discussion. [[Ram Mohan]], Executive Vice President of Business Operations and Chief Technology Officer at [[Afilias]], wrote in his blog that "the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment." His statement was based on his assessment during the DNSSEC session in Costa Rica. He cited the [[.se]] ccTLD as example wherein
[[
Staffan Hagnel
]]
, a pioneer ccTLd operator in Sweden, said that 172,000 domain names adopted DNSSEC overnight after his offering
a
5% discount to registrars. He plans to increase the discount to 7.5% to reach 350,000 domain names by the end of 2012. During the discussion, the ICANN community also learned about the experiences of companies implementing the DNSSEC protocol. Comcast noted that consumers do not have enough knowledge about DNSSEC
,
while Bill Smith,
a
representative from PayPal
,
said that it took the company a lot of planning and preparation to deploy the DNSSEC across its 1,100 domain names. He perceived that the next challenge is to create an effective key rollover strategy.
[http://www.circleid.com/posts/20120405_slowly_cracking_the_dnssec_code_at_icann_43/ Slowly Cracking the DNSSEC Code at ICANN 43]
==DNSSEC Difficulties==
==DNSSEC Difficulties==
−
It is critically important to secure the DNS for ensuring overall Internet protection, but when it comes to the deployment of DNSSEC the following difficulties
are
encountered:
+
It is critically important to secure the DNS for ensuring overall Internet protection, but when it comes to the deployment of DNSSEC the following difficulties
may be
encountered:
# Developing backward-compatible system and standards
# Developing backward-compatible system and standards
−
# Logistical problems as a result of the addition of encryption keys to all Internet lookups
:
requires
solution
for updating the encryption keys without damaging the name servers.
+
# Logistical problems as a result of the addition of encryption keys to all Internet lookups
, which
requires
solutions
for updating the encryption keys without damaging the name servers.
−
# International conflicts
which
arise from the implementation of DNSSEC, renewing the debates related to "control over the Internet".
+
# International conflicts
that
arise from the implementation of DNSSEC, renewing the debates related to "control over the Internet".
# Conflicts among implementers related to ownership issues of the root encryption keys
# Conflicts among implementers related to ownership issues of the root encryption keys
===NASA DNSSEC Error===
===NASA DNSSEC Error===
−
On January 18, 2012, the National Aeronautics and Space Administration (NASA) erroneously signed the DNSSEC protocol on its domain name nasa.gov, which caused [[Comcast]] to automatically block users from accessing the site. Many thought that blocking the NASA website was a Comcast strategy to express its protest against the [[SOPA]]/[[PIPA]] legislation because the DNSSEC signing error
was coincidental
with the Blackout Protest. According to Jason Livingood, vice president of Internet Systems Engineering for Comcast Cable Communications, the problem was caused by a domain signing error. The Comcast DNS resolver detected that the security signatures used by the administrator of the nasa.gov domain were invalid. He also said the several .gov domain names experienced the same problem.
[http://www.darkreading.com/authentication/167901072/security/application-security/232500483/dnssec-error-caused-nasa-website-to-be-blocked.html DNSSEC Error Caused NASA Website To Be Blocked]
+
On January 18, 2012, the
U.S.
National Aeronautics and Space Administration (NASA) erroneously signed the DNSSEC protocol on its domain name nasa.gov, which caused [[Comcast]] to automatically block users from accessing the site. Many thought that blocking the NASA website was a Comcast strategy to express its protest against the [[SOPA]]/[[PIPA]] legislation because the DNSSEC signing error
coincided
with the Blackout Protest. According to Jason Livingood, vice president of Internet Systems Engineering for Comcast Cable Communications, the problem was caused by a domain signing error. The Comcast DNS resolver detected that the security signatures used by the administrator of the nasa.gov domain were invalid. He also said the several .gov domain names experienced the same problem.
[http://www.darkreading.com/authentication/167901072/security/application-security/232500483/dnssec-error-caused-nasa-website-to-be-blocked.html DNSSEC Error Caused NASA Website To Be Blocked]
−
Comcast was one of the earliest [[ISP]] service providers in North America to fully integrate the new security protocol. The company completed its DNSSEC deployment on January 10, 2012. In a statement, Livingwood confirmed that the company's 17.8 million residential customers of Xfinity Internet Service are fully supported with DNSSEC-validating DNS servers.
[http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html Comcast Completes DNSSEC Deployment]
+
Comcast was one of the earliest [[ISP]] service providers in North America to fully integrate the new security protocol. The company completed its DNSSEC deployment on January 10, 2012. In a statement,
Mr.
Livingwood confirmed that the company's 17.8 million residential customers of Xfinity Internet Service are fully supported with DNSSEC-validating DNS servers.
[http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html Comcast Completes DNSSEC Deployment]
−
A detailed report of the NASA DNSSEC signing error is available [http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf '''here''']
+
A detailed report of the NASA DNSSEC signing error is available [http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf '''here'''].
−
+
−
==DNSSEC Deployment Statistics==
+
−
Based on ICANN's TLD DNSSEC Report, 95 TLDs out of the 313 TLDs in the DNS root zone were already signed with the DNSSEC protocol while 86 TLDs have trust anchors published in the root zone, which means they are DNSSEC compatible
.
[http://stats.research.icann.org/dns/tld_report/ TLD DNSSEC Report (2012-05-03)]
+
==DNSSEC Standards==
==DNSSEC Standards==