News on DNSSEC.<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername"><a href="mailto:news-editor@dnssec-deployment.org">news-editor@dnssec-deployment.org</a></b> <span dir="ltr"><<a href="mailto:news-editor@dnssec-deployment.org">news-editor@dnssec-deployment.org</a>></span><br>
Date: Fri, May 1, 2009 at 10:41 PM<br>Subject: DNSSEC This Month, May 1, 2009, Volume 4, No.5: Thailand's Top Level Domain becomes the first signed ccTLD in Asia, Swiss plan DNSSEC trial, IETF announces new DNSSEC-related Internet draft, and more!<br>
To: DNSSEC This Month <<a href="mailto:news@dnssec-deployment.org">news@dnssec-deployment.org</a>><br><br><br>DNSSEC This Month<br>
ISSN 1932-6564<br>
May 1, 2009<br>
Volume 4, Number 5<br>
<br>
<br>
Welcome to the May 2009 edition of DNSSEC THIS MONTH, a monthly newsletter about advances in securing the Internet's naming infrastructure in the government, business and education sectors. The DNS Security Extensions (DNSSEC) Deployment Coordination Initiative, which produces this newsletter, is part of a global effort to deploy new security measures that will help the DNS perform as people expect it to -- in a trustworthy manner. This newsletter will offer updates on progress of early adopters and advances in DNS security extension development. For more information on progress toward DNSSEC deployment, read the initiative roadmap at <<a href="http://www.dnssec-deployment.org/technology/roadmap.htm" target="_blank">http://www.dnssec-deployment.org/technology/roadmap.htm</a>.><br>
<br>
The U.S. Department of Homeland Security Science and Technology Directorate provides support for coordination of the Initiative.<br>
<br>
To subscribe, please send a message to <<a href="mailto:news-subscribe@dnssec-deployment.org" target="_blank">news-subscribe@dnssec-deployment.org</a>><br>
<br>
To unsubscribe, please send a message to <<a href="mailto:news-unsubscribe@dnssec-deployment.org" target="_blank">news-unsubscribe@dnssec-deployment.org</a>><br>
<br>
For more information, go to <<a href="http://www.dnssec-deployment.org/news/dnssecthismonth" target="_blank">http://www.dnssec-deployment.org/news/dnssecthismonth</a>><br>
<br>
<br>
As of April 30, the SecSpider monitoring site showed 4428 DNSSEC enabled zones using both KSKs and ZSKs.<br>
<br>
<br>
Editor: Denise Graveline<br>
<br>
Contact: <<a href="mailto:news-editor@dnssec-deployment.org" target="_blank">news-editor@dnssec-deployment.org</a>><br>
<br>
<br>
Thailand's Top Level Domain becomes the first signed ccTLD in Asia: On March 30, 2009 .TH became a signed zone and the first signed ccTLD in Asia. Pensri Arunwatanamongkol, Technical contact for the Thai Network Information Center, which manages .TH, thanked NSRC (Network Startup Resource Center, <<a href="http://www.nsrc.org/" target="_blank">http://www.nsrc.org/</a>>), .SE (<<a href="http://www.iis.se/en/" target="_blank">http://www.iis.se/en/</a>>), NLnet Labs (<<a href="http://www.nlnetlabs.nl/" target="_blank">http://www.nlnetlabs.nl/</a>>), and Internet Systems Consortium (ISC, <<a href="http://www.isc.org" target="_blank">www.isc.org</a>>) for their help and support. The DS record corresponding to the KSK for .TH is stored in IANA's Interim Trust Anchor Repository (ITAR, <<a href="http://itar.iana.org" target="_blank">http://itar.iana.org</a>>).<br>
<br>
Swiss plan DNSSEC trial: SWITCH (<<a href="http://www.switch.ch" target="_blank">http://www.switch.ch</a>>), which provides the nonprofit support for Swiss university networks, is planning a DNSSEC trial in dot-CH in August or September 2009, with the goal of officially introducing DNSSEC in February 2010. The group is inviting interested parties to participate, including the Swiss Network Operators Group, operators of sensitive websites (such as banks, media companies and more); hosting providers that sell DNS services; ISPs hosting recursive DNS resolvers; and partners of SWITCH that will offer DNSSEC as registrars. An initial meeting will be convened at the end of May. Find the details at <<a href="http://www.mrmouse.ch/swinog-rss/index.php?itemId=4774" target="_blank">http://www.mrmouse.ch/swinog-rss/index.php?itemId=4774</a>> or contact them at <dnssec@switch.ch>.<br>
<br>
IETF announces new DNSSEC-related Internet draft: A new Internet draft has been issued on how to produce GOST signature and hash algorithms DNSKEY and RRSIG resource records for use in the Domain Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035). For more information and links go to <<a href="http://www.spinics.net/lists/ietf-ann/msg45797.html" target="_blank">http://www.spinics.net/lists/ietf-ann/msg45797.html</a>>.<br>
<br>
APWG convenes DNSSEC panel: The Anti-Phishing Working Group convened a panel at its meeting during the RSA Conference in San Francisco April 22 (<<a href="http://dnsseccoalition.org/website/?m=20090422" target="_blank">http://dnsseccoalition.org/website/?m=20090422</a>>), featuring speakers from Secure64; dot-ORG, The Public Interest Registry; Afilias Limited; and Shinkuro. The RSA Conference also included sessions on DNS cache poisoning and DNSSEC deployment (<<a href="http://www.rsaconference.com/2009/us/index.htm" target="_blank">http://www.rsaconference.com/2009/us/index.htm</a>>).<br>
<br>
Secure64 CTO interviewed on DNSSEC: In a SANS Institute ‘security thought leader’ interview, Secure64 Chief Technology Officer Bill Worley said of DNSSEC, “Once we can implement this globally…SSL actually becomes trustworthy.” Worley, whose company has issued DNSSEC key management and zone signing software, called DNS Signer, discusses why DNSSEC interests him as well as broader security topics. Read the full interview here: <<a href="http://www.sans.org/thought-leaders/worley_thoughtleader" target="_blank">http://www.sans.org/thought-leaders/worley_thoughtleader</a>>.<br>
<br>
NIST DNSSEC deployment described: Government Computer News issued two articles describing efforts at the U.S. National Institute of Standards and Technology to deploy DNSSEC across the dot-GOV domain. “How NIST put DNSSEC into play” looks at NIST’s efforts to deploy DNSSEC at its agency for a full year before government-wide deployment (read the full article at <<a href="http://gcn.com/Articles/2009/04/06/NIST-DNSsec-in-play.aspx" target="_blank">http://gcn.com/Articles/2009/04/06/NIST-DNSsec-in-play.aspx</a>>) and “Walk, don’t run, to DNSSEC deployment” (at <<a href="http://gcn.com/articles/2009/04/06/nist-dnssec-lessons.aspx" target="_blank">http://gcn.com/articles/2009/04/06/nist-dnssec-lessons.aspx</a>>) offers steps to take when preparing for DNSSEC deployment.<br>
<br>
RFCs turn 40: Initiative partner and Shinkuro CEO Steve Crocker reflects on the 40th anniversary of Requests for Comments in “How the Internet Got Its Rules,” an opinion article that appeared in the New York Times April 7. Read the article here (<<a href="http://www.nytimes.com/2009/04/07/opinion/07crocker.html?_r=1&emc=eta1" target="_blank">http://www.nytimes.com/2009/04/07/opinion/07crocker.html?_r=1&emc=eta1</a>>) and see the list of DNSSEC-related RFCs here: <<a href="http://www.ietf.org/html.charters/dnsext-charter.html" target="_blank">http://www.ietf.org/html.charters/dnsext-charter.html</a>>.<br>
<br>
.GOV NSEC3 DNSSEC Key added to DLV Tree: The DNS-OARC has announced that the SEP key for the .GOV TLD will be re-inserted into the DLV. The .GOV TLD was removed from the DLV when it was discovered that the presence of a NSEC3 KSK in the DLV was causing validation errors in some clients. Validators that fail when encountering an NSEC3 signed zone need to be upgraded to a validating resolver that understands NSEC3 responses. See <<a href="https://www.dns-oarc.net/oarc/services/dlvtest" target="_blank">https://www.dns-oarc.net/oarc/services/dlvtest</a>> for more information on the DLV NSEC3 test zone and NSEC3 SEP key information in the DLV.<br>
<br>
Workshops help networks, organizations deploy DNSSEC: While the protocols needed to add additional security to DNS queries and responses exist, network administrators and organizational leaders in all sectors need to accept DNSSEC and put it to use. Here’s a roundup of speakers and sessions that may help you work through deployment:<br>
<br>
RIPE 58 in Amsterdam: RIPE convenes its next meeting in Amsterdam, May 4-8, including these DNSSEC-related sessions: DNSSEC PMTU Observations from UCLA’s Eric Osterweil will be one of the plenary topics, and Shinkuro’s Olafur Gudmundsson will give an overview of DNSSEC Trust Anchor options on May 5. Go here to register and for more information: <<a href="http://www.ripe.net/ripe/meetings/ripe-58/index.html" target="_blank">http://www.ripe.net/ripe/meetings/ripe-58/index.html</a>>.<br>
<br>
OARC workshop also in Amsterdam: The DNS Operations, Analysis, and Research Center (DNS-OARC) will hold its first workshop of 2009 in Amsterdam, following the RIPE meeting. Olafur Gudmundsson of Shinkuro will discuss “Transferring DNSSEC Signed Domains” and will join a panel on DNSSEC Trust Anchor Repositories on Saturday, May 8. Go here for registration and program details: <<a href="https://www.dns-oarc.net/oarc/workshop-200905" target="_blank">https://www.dns-oarc.net/oarc/workshop-200905</a>>.<br>
<br>
FISC 2009 in Colorado Springs: The Federal Information Security Conference (FISC 2009) meeting (June 3-4) will have a DNSSEC session featuring government and industry speakers. For more information, Go to <<a href="http://www.fbcinc.com/fisc" target="_blank">http://www.fbcinc.com/fisc</a>>.<br>
<br>
ICANN to Sydney in June: ICANN’s Sydney meeting is slated for June 21-26, with a DNSSEC workshop on the program June 24. Go here for general program information (<<a href="http://syd.icann.org/" target="_blank">http://syd.icann.org/</a>>) and here for DNSSEC workshop details (<<a href="http://syd.icann.org/node/3791" target="_blank">http://syd.icann.org/node/3791</a>>).<br>
<br>
IETF to Stockholm in July: IETF meets July 26-31 in Stockholm. Find the program and registration information at <<a href="http://www.ietf.org/meetings/meetings.html" target="_blank">http://www.ietf.org/meetings/meetings.html</a>>.<br>
<br>
<br>
<br>
<br>
<br>
DNSSEC This Month,<br>
Vol. 4, No. 5, May 1, 2009<br>
ISSN 1932-6564<br>
<br>
#############################################################<br>
This message is sent to you because you are subscribed to<br>
the mailing list <<a href="mailto:news@dnssec-deployment.org" target="_blank">news@dnssec-deployment.org</a>>.<br>
To unsubscribe, E-mail to: <<a href="mailto:news-unsubscribe@dnssec-deployment.org" target="_blank">news-unsubscribe@dnssec-deployment.org</a>><br>
Send administrative queries to <<a href="mailto:news-request@dnssec-deployment.org" target="_blank">news-request@dnssec-deployment.org</a>><br>
<br>
</div><br><br clear="all"><br>-- <br>Anne-Rachel Inne<br>