Latest news of the domain name industry

Recent Posts

Afilias adds DNSSEC to .info zone

Kevin Murphy, September 9, 2010, Domain Tech

The .info domain has become the latest gTLD to be signed with DNSSEC, the security standard for domain name lookups.

Afilias, which runs the .info registry, said today that it has signed its zone and added the necessary records to the DNS root.

DNSSEC is designed to prevent cache poisoning attacks, which can be used to hijack domain names and carry out phishing campaigns.

For registrants, DNSSEC in .info doesn’t mean much in practical terms yet. If you have a .info, you’ll have to wait for registrars to start to support the standard.

At the moment, only 19 second-level .info domains, including afilias.info and comcast.info, have been signed, as part of a “friends and family” testbed program.

The .org zone, which Afilias also provides the back-end for, was signed in June.

Neustar added full DNSSEC support for .biz in August, according to an announcement this week.

For .com and .net, VeriSign is currently planning to roll out the technology in the first quarter of 2011.

Registrars “unprepared” for DNSSEC

Kevin Murphy, August 23, 2010, Domain Tech

Only one in 10 domain name registrars believes it is fully prepared to offer DNSSEC services today, according to new research out from Afilias, the .info registry.

The Registrar DNSSEC Readiness Report (pdf) also shows that a perceived lack of customer demand for the technology has translated into ambivalence at most registrars.

DNSSEC is a standard extension to DNS that helps prevent domain name hijacking through man-in-the-middle attacks.

The survey shows that 9.86% of registrars say they are “fully prepared” to offer DNSSEC to customers now, with 52.2% saying they were “somewhat” prepared. The remainder were not at all prepared.

A little over a quarter of respondents rated DNSSEC a “high” priority for the next 12 months, with less than 3% saying it was an “extremely high” priority.

Two of the biggest reasons for the lack of urgency were lack of customer demand – 59% of registrars said they saw no demand at all – and difficulties developing key management systems.

Despite this, when asked the question “Should TLD registries support DNSSEC?”, a whopping 80% responded in the affirmative.

I expect interest in the technology will pick up early next year, when VeriSign signs the .com zone.

The Afilias survey was conducted electronically earlier this month. The sample size was quite small, with only 71 respondents, and most of them were on the smaller side by domain count.

The report was released to coincide with Afilias’ launch of a broad effort to add DNSSEC support to all of the TLDs for which it provides registry services.

The company already offers the technology in .org, and that will now be extended to gTLDs including .info and ccTLDs such as .in. You can read the release at CircleID.

ICANN releases (censored) board briefing docs

Kevin Murphy, August 17, 2010, Domain Policy

ICANN has given an unprecedented glimpse into the workings of its board of directors, with the release of hundreds of pages of staff briefing papers.

But the documents are quite heavily redacted, particularly when it comes to some of the more controversial topics.

The documents show what ICANN staffers told the board in the run-up to the Nairobi and Brussels meetings, dealing with important decisions such as .xxx and internationalized domain names.

The Brussels decision to put .xxx back on the track to approval sees more than its fair share of blacked-out text, but the documents do show that ICANN general counsel John Jeffrey’s recommendations were pretty much in line with how the board eventually voted.

Other topics seeing redaction include the implementation of DNSSEC at the root, the activities of the Internet Governance Forum, and specific discussion of IDN ccTLD delegations.

Some topics are deemed so sensitive that even the titles of the pages have been blacked out. But in at least one case somebody apparently forgot to redact the title from the PDF’s internal bookmarks.

So we know, for example, that a section entitled “Chronological-History-ICM” is deemed entirely unpublishable, even though ICANN has previously published a document with pretty much the same title (pdf).

Browser makers brush me off on DNSSEC support

Kevin Murphy, July 29, 2010, Domain Tech

A couple of weeks back, I emailed PR folk at Microsoft, Mozilla, Google and Opera, asking if they had any plans to provide native support for DNSSEC in their browsers.

As DNS uber-hacker Dan Kaminsky and ICANN president Rod Beckstrom have been proselytizing this week at the Black Hat conference, support at the application layer is the next step if DNSSEC is to quickly gain widespread traction.

The idea is that one day the ability to validate DNSSEC messages will be supported by browsers in much the same way as SSL certificates are today, maybe by showing the user a green address bar.

CZ.NIC has already created a DNSSEC validator plugin for Firefox that does precisely that, but as far as I can tell there’s no native support for the standard in any browser.

These are the responses I received:

Mozilla: “Our team is heads down right now with Firefox 4 beta releases so unfortunately, I am not going to be able to get you an answer.”

Microsoft:
“At this stage, we’re focusing on the Internet Explorer 9 Platform Preview releases. The platform preview is a developer and designer scoped release of Internet Explorer 9, and is not feature complete, we will have more to share about Internet Explorer 9 in the future.”

Google: No reply.

Opera: No reply.

In 11 years of journalism, Apple’s PR team has never replied to any request for information or comment from me, so I didn’t bother even trying this time around.

But the responses from the other four tell us one of two things:

  • Browser makers haven’t started thinking about DNSSEC yet.

Or…

  • Their PR people were just trying to brush me off.

I sincerely hope it’s the former, otherwise this blog post has no value whatsoever.

ICANN chief to address hackers at Black Hat

Kevin Murphy, July 27, 2010, Domain Tech

Globe-trotting ICANN president Rod Beckstrom is heading to Vegas this week, to participate in a panel discussion on DNS security at the Black Hat conference at Caesar’s Palace.

He’ll be joined by Dan Kaminsky, discoverer of the notorious DNS vulnerability that bears his name, and is expected to sing the praises of the new DNSSEC security standard.

Also on tomorrow’s panel, entitled “Systemic DNS Vulnerabilities and Risk Management” are DNS inventor Paul Mockapetris, VeriSign CTO Ken Silva and NERC CSO Mark Weatherford.

ICANN and VeriSign recently signed the DNS root using DNSSEC standard. The challenge they face now is persuading everybody else in the world to jump on the bandwagon.

It’s likely to be slow going. DNSSEC has more than its fair share of skeptics, and even fierce proponents of the standard sometimes acknowledge that there’s not a heck of a lot in the way of a first mover advantage.

I’ll be interested to see if the subject of a DNS-CERT – a body to coordinate DNS security efforts – is raised either during the panel or the subsequent press conference.

From a policy point of view, DNSSEC is pretty much a done deal, whereas a DNS-CERT is still very much a matter for debate within the ICANN community.

I believe this is the first time ICANN has talked publicly at Black Hat. Beckstrom himself has taken the stage under his previous roles in government, but not as ICANN’s top dog.

Despite its name, Black Hat is a pretty corporate event nowadays. In my experience, the proper black/gray hats show up (or swap their lime green corporate polo shirts for Metallica T-shirts) at the weekend for Def Con, which is usually held at a cheaper venue around the corner.

ICANN to stream DNSSEC ceremony live

Kevin Murphy, July 10, 2010, Domain Tech

ICANN is to webcast the second of its root server DNSSEC key generation ceremonies, this coming Monday.

You’ll be able to find the stream here, from 2000 UTC, according to a message ICANN’s DNS director Joe Abley just sent to the DNS-Ops mailing list.

The ceremony, which will likely take several hours, takes place in El Segundo, California.

In it, staff will create the Key Signing Key used in cryptographically signing the very root of the DNS according to the DNSSEC standard.

The first such ceremony took place last month at a facility in Virginia. While it was recorded, as well as witnessed by several well-known security experts, it was not streamed live.

The full transition to a validatable DNSSEC-signed root is still scheduled for next Thursday, July 15.

Abley’s update is likely to be available here shortly.

ICANN creates DNSSEC root keys

Kevin Murphy, June 17, 2010, Domain Tech

ICANN took the penultimate step towards adding DNSSEC to the root of the domain name system, during in a lengthy ceremony in Virginia yesterday.

The move means we’re still on track to have the DNSSEC “trust anchor” go live in the root on July 15, which will make end-to-end validation of DNS answers feasible for the first time.

DNSSEC is an extension to the DNS protocol that enables resolvers to validate that the DNS answers they receive come from the true owner of the domain.

Yesterday, ICANN generated the Key Signing Key for the root zone. That’s one of two keys required when adding DNSSEC to a zone.

The KSK is used to sign the DNSKey record, the public half of a key pair used to validate DNS responses. It has a longer expiration date than the Zone Signing Key used to sign other records in the zone, so its security is more important.

The videotaped ceremony, held at a facility in Culpeper, Virginia, was expected to take six hours, due to a lengthy check-list of precautions designed to instil confidence in the security of the KSK.

ICANN said:

During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy.

Ten hand-picked independent observers were present to bear witness.

ICANN expects to perform the ceremony four times a year. The second will be held at a backup facility in California next month.

US government requests root DNSSEC go-ahead

Kevin Murphy, June 7, 2010, Domain Tech

The National Telecommunications and Information Administration, part of the US Department of Commerce, has formally announced its intent to allow the domain name system’s root servers to be digitally signed with DNSSEC.

Largely, I expect, a formality, a public comment period has been opened (pdf) that will run for two weeks, concluding on the first day of ICANN’s Brussels meeting.

NTIA said:

NTIA and NIST have reviewed the testing and evaluation report and conclude that DNSSEC is ready for the final stages of deployment at the authoritative root zone.

DNSSEC is a standard for signing DNS traffic using cryptographic keys, making it much more difficult to spoof domain names.

ICANN is expected to get the next stage of DNSSEC deployment underway next week, when it generates the first set of keys during a six-hour “ceremony” at a secure facility in Culpeper, Virginia.

The signed, validatable root zone is expected to go live July 15.

ICANN’s Draft Applicant Guidebook v4 – first reactions

Kevin Murphy, June 1, 2010, Domain Policy

As you probably already know, ICANN late yesterday released version 4 of its Draft Applicant Guidebook, the bible for new top-level domain registry wannabes.

Having spent some time today skimming through the novel-length tome, I can’t say I’ve spotted anything especially surprising in there.

IP interests and governments get more of the protections they asked for, a placeholder banning registries and registrars from owning each other makes its first appearance, and ICANN beefs up the text detailing the influence of public comment periods.

There are also clarifications on the kinds of background checks ICANN will run on applicants, and a modified fee structure that gets prospective registries into the system for $5,000.

DNSSEC, security extensions for the DNS protocol, also gets a firmer mandate, with ICANN now making it clearer that new TLDs will be expected to implement DNSSEC from launch.

It’s still early days, but a number of commentators have already given their early reactions.

Perennial first-off-the-block ICANN watcher George Kirikos quickly took issue with the fact that DAG v4 still does not include “hard price caps” for registrations

[The DAG] demonstrates once again that ICANN has no interests in protecting consumers, but is merely in cahoots with registrars and registries, acting against the interests of the public… registry operators would be open to charge $1000/yr per domain or $1 million/yr per domain, for example, to maximize their profits.

Andrew Allemann of Domain Name Wire reckons ICANN should impose a filter on its newly emphasised comment periods in order to reduce the number of form letters, such as those seen during the recent .xxx consultation.

I can’t say I agree. ICANN could save itself a few headaches but it would immediately open itself up to accusations of avoiding its openness and transparency commitments.

The Internet Governance Project’s Milton Mueller noted that the “Draconian” text banning the cross-ownership of registries and registrars is basically a way to force the GNSO to hammer out a consensus policy on the matter.

Everyone knows this is a silly policy. The reason this is being put forward is that the VI Working Group has not succeeded in coming up with a policy toward cross-ownership and vertical integration that most of the parties can agree on.

I basically agree. It’s been clear since Nairobi that this was the case, but I doubt anybody expected the working group to come to any consensus before the new DAG was drafted, so I wouldn’t really count its work as a failure just yet.

That said, the way it’s looking at the moment, with participants still squabbling about basic definitions and terms of reference, I doubt that a fully comprehensive consensus on vertical integration will emerge before Brussels.

Mueller lays the blame squarely with Afilias and Go Daddy for stalling these talks, so I’m guessing he’s basing his views on more information than is available on the public record.

Antony Van Couvering of prospective registry Minds + Machines has the most comprehensive commentary so far, touching on several issues raised by the new DAG.

He’s not happy about the VI issue either, but his review concludes with a generally ambivalent comment:

Overall, this version of the Draft Applicant Guidebook differs from the previous version by adding some incremental changes and extra back doors for fidgety governments and the IP interests who lobby them. None of the changes are unexpected or especially egregious.

DAG v4 is 312 pages long, 367 pages if you’re reading the redlined version. I expect it will take a few days before we see any more substantial critiques.

One thing is certain: Brussels is going to be fun.