Latest news of the domain name industry

Recent Posts

ICANN to stream DNSSEC ceremony live

Kevin Murphy, July 10, 2010, Domain Tech

ICANN is to webcast the second of its root server DNSSEC key generation ceremonies, this coming Monday.

You’ll be able to find the stream here, from 2000 UTC, according to a message ICANN’s DNS director Joe Abley just sent to the DNS-Ops mailing list.

The ceremony, which will likely take several hours, takes place in El Segundo, California.

In it, staff will create the Key Signing Key used in cryptographically signing the very root of the DNS according to the DNSSEC standard.

The first such ceremony took place last month at a facility in Virginia. While it was recorded, as well as witnessed by several well-known security experts, it was not streamed live.

The full transition to a validatable DNSSEC-signed root is still scheduled for next Thursday, July 15.

Abley’s update is likely to be available here shortly.

ICANN creates DNSSEC root keys

Kevin Murphy, June 17, 2010, Domain Tech

ICANN took the penultimate step towards adding DNSSEC to the root of the domain name system, during in a lengthy ceremony in Virginia yesterday.

The move means we’re still on track to have the DNSSEC “trust anchor” go live in the root on July 15, which will make end-to-end validation of DNS answers feasible for the first time.

DNSSEC is an extension to the DNS protocol that enables resolvers to validate that the DNS answers they receive come from the true owner of the domain.

Yesterday, ICANN generated the Key Signing Key for the root zone. That’s one of two keys required when adding DNSSEC to a zone.

The KSK is used to sign the DNSKey record, the public half of a key pair used to validate DNS responses. It has a longer expiration date than the Zone Signing Key used to sign other records in the zone, so its security is more important.

The videotaped ceremony, held at a facility in Culpeper, Virginia, was expected to take six hours, due to a lengthy check-list of precautions designed to instil confidence in the security of the KSK.

ICANN said:

During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy.

Ten hand-picked independent observers were present to bear witness.

ICANN expects to perform the ceremony four times a year. The second will be held at a backup facility in California next month.

ICANN staff need to get their pee tested

Kevin Murphy, June 8, 2010, Domain Tech

I imagine it’s a pretty hard job, largely thankless, working at ICANN. No matter what you do, there’s always somebody on the internet bitching at you for one reason or another.

The job may be about to get even more irksome for some staffers, if ICANN decides to implement new security recommendations made by risk management firm JAS Communications.

In a report published yesterday, JAS suggests that senior IANA staff – basically anyone with critical responsibilities over the DNS root zone – should be made to agree to personal credit checks, drug screening and even psych evaluations.

To anyone now trying to shake mental images of Rod Beckstrom peeing into a cup for the sake of the internet, I can only apologise.

This is what the report says:

JAS recommends a formal program to vet potential new hires, and to periodically re‐vet employees over time. Such a vetting program would include screening for illegal drugs, evaluation of consumer credit, and psychiatric evaluation, which are all established risk factors for unreliable and/or malicious insider activity and are routinely a part of employee screening in government and critical infrastructure providers.

I’ve gone for the cheap headline here, obviously, but there’s plenty in this report to take seriously, if you can penetrate the management consultant yadda yadda.

There are eight other recommendations not related to stoners running the root, covering contingencies such as IANA accidentally unplugging the internet and Los Angeles sinking into the Pacific.

Probably most interesting of all is the bit explaining how ICANN’s custom Root Zone Management System software, intended to reduce the possibility of errors creeping into the root after hundreds of new TLDs are added, apparently isn’t being built with security in mind.

“No formal requirements exist regarding the security and resiliency of these systems, making it impossible to know whether the system has been built to specification,” the report says.

It also notes that ICANN lacks a proper risk management strategy, and suggests that it improve communications both internally and with VeriSign.

It discloses that “nearly all critical resources are physically located in the greater Los Angeles area”, which puts the IANA function at risk of earthquake damage, if nothing else.

JAS recommends spreading the risk geographically, which should give those opposed to ICANN bloat something new to moan about.

There’s a public comment forum over here.

UPDATE (2010-06-13): As Michael Palage points out over at CircleID, ICANN has pulled the PDF from its web site for reasons unknown.

On the off-chance that there’s a good security reason for this, I shall resist the temptation to cause mischief by uploading it here. This post, however, remains unedited.

US government requests root DNSSEC go-ahead

Kevin Murphy, June 7, 2010, Domain Tech

The National Telecommunications and Information Administration, part of the US Department of Commerce, has formally announced its intent to allow the domain name system’s root servers to be digitally signed with DNSSEC.

Largely, I expect, a formality, a public comment period has been opened (pdf) that will run for two weeks, concluding on the first day of ICANN’s Brussels meeting.

NTIA said:

NTIA and NIST have reviewed the testing and evaluation report and conclude that DNSSEC is ready for the final stages of deployment at the authoritative root zone.

DNSSEC is a standard for signing DNS traffic using cryptographic keys, making it much more difficult to spoof domain names.

ICANN is expected to get the next stage of DNSSEC deployment underway next week, when it generates the first set of keys during a six-hour “ceremony” at a secure facility in Culpeper, Virginia.

The signed, validatable root zone is expected to go live July 15.

Symantec gets into the DNS game with Dyn

Kevin Murphy, May 27, 2010, Domain Tech

Symantec has partnered with Dyn to offer a free DNS service to mobile Norton users.

As part of its new mobile strategy, expected to be announced later today, Symantec will provide free DNS resolution with a built-in filter that blocks potentially dangerous domains.

Dyn.com will provide the back-end, which will compete with the likes of OpenDNS and Google’s DNS service.

Non-technical users will be able to download a client application that configures their local DNS to work with the service, which drops one barrier to entry.

Symantec reportedly expects to earn revenue from advertising links – presumably by intercepting NXDOMAIN responses and providing sponsored error pages.

So the deal could be a bit of a money-spinner for Dyn; it’s certainly a further validation of its service.

But is it sexy? Hmm…