Internet2 DNSSEC SIG

See the Spaces Instructions for editing access.

This SIG (Special Interest Group) is intended as a collaborative forum for the research and education community, to share information and support each other in deploying DNSSEC - the Domain Name System Security Extension.

NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.

Co-Chairs

• Shumon Huque, University of Pennsylvania
• Michael Sinatra, University of California, Berkeley

Participation

• To subscribe to the e-mail list, send an e-mail to <pubsympa AT internet2.edu> with the following message in the subject:           
  • subscribe DNSSEC FirstName LastName
• To set a watch on this wiki space, to be notified of changes at the e-mail address in your profile, use the menu at the top of this page:
  • Browse => Advanced => Start watching this space (under Subscribe in the left nav)
• To edit the e-mail address in your profile, use the menu at the top of this page:

  • [UserName] => Preferences => Edit Profile (tab)

.edu Production DNSSEC-enabled Zones

Information obtained from SecSpider - the DNSSEC Monitoring Project as of 8-June-2011

.edu DNS domain statistics NEW

A compilation of DNS capabilities of a selected set of EDU institutional domain names (specifically most of the organizations that are members of Internet2). The data displayed on this page are currently updated once per day.

Upcoming Events of Interest

• Spring 2012 Internet2 Member Meeting, April 22-25, 2012, Arlington, VA

Past Events of Interest

• DNS and DNSSEC Tutorial, PICC 12 Conference, May 12th 2012, New Brunswick, NJ
• DNSSEC workshop at FOSE, April 3, 2012, Washington DC
  • (Scroll down past the photos to get to the actual agenda.)   Cost is $45.
• ICANN DNSSEC Workshop, March 14, 2012, San Jose, Costa Rica
• Securing and Trusting Internet Names, SATIN 2012, March 22-23, 2012, Teddington, UK
• ICANN DNSSEC Workshop 26 October 2011
• Winter 2011 ESCC/Internet2 Joint Techs
  January 30 - February 3, 2011 
  • DNSSEC Tutorial
• Higher Education Experiences with DNSSEC Signing
  Fall 2010 Internet2 Member Meeting November 3, 2010
• ICANN DNSSEC Workshop 
  Brussels, June 23, 2010
• EDUCAUSE Security Professionals Conference: The Shifting Landscape: Changing Mind-Sets
  April 12-14, 2010, Atlanta, GA
  • Securing DNS: Doing DNS as if DNS Actually Mattered (Preconference Seminar), April 12, 1:00 - 4:30 p.m. ET
    Joseph E. St Sauver, Security Programs Manager, Internet2, University of Oregon
• Internet2 Spring Member Meeting
  April 26-28, 2010, Arlington VA
  • DNSSEC Panel, April 27, 8:45-10:00 AM ET
• TERENA Networking Conference 2010
  May 31-June 3, 2010, Vilnius, Lithuania,
  • DNSSEC Workshop, June 3, 2010, 12:30 - 17:30 (GMT+3)
  • Slides and presentations
• DNSSEC Workshop at the ICANN Meeting in Nairobi, Kenya (presentations and transcript available)
  Wednesday, March 10, 2010
• NANOG48
  February 24, 2010, Austin, TX
  • DNSSEC Deployment in the Root Zone
• TF-Mobility
  February 18, 2010, Vienna, Austria
  • DNSSEC update (pdf)
    Roland van Rijswijk, SURFnet
• Winter 2010 ESCC/Internet2 Joint Techs
  January 31 - February 4, 2010
  • EDU DNSSEC Testbed
  • DNSSEC on Campus
  • DOE National Labs DNSsec Rollout Experiences
• Summer 2009 ESCC/Internet2 Joint Techs
  July 19 - July 22, 2009
  • DNSSEC Deployment at Penn

Articles of Interest

• FCC Publishes DNSSEC Recommendations for ISPs through one of the working groups of its Communications Security, Reliability and Interoperability Council (CSRIC). The 29-page PDF is available HERE.
  • Related article from the Internet Society
• NASA Teething Troubles Teach a DNSSEC Lesson (CircleID Mar. 22, 2012)
• DNSSEC with BIND 9.8.0 (Tony Finch, May 4, 2011)
• BIND 9 DNSSEC Validation Fails on new DS record (Feb. 4, 2011)
  Certain versions of BIND have a known bug which will cause DNSSEC validation errors when a new DS record is inserted into a trusted DNSSEC validation tree. This occurred when .NET was inserted into the root. These failures will cause BIND 9 to return SERVFAIL to queries under this newly inserted DS...
• Final report: _DNSSEC in SURFdomeinen
  The report is targeted at fellow NRENs. The aim is to give a high-level overview of how we implemented DNSSEC in our managed DNS environment and the lessons we learned.
• Helping Secure the Internet with DNSSEC_by Allie Hopkins and John C. Borne, Louisiana State University
  EDUCAUSE Quarterly Magazine, October 2010
• Operational Challenges When Implementing DNSSEC (PDF, see page 16)
  by Torbjörn Eklöv, Interlan Gefle AB, and Stephan Lagerholm, Secure64 Software Corp.
  The Internet Protocol Journal, June 2010
• DNSSEC Launched Today by EDUCAUSE and VeriSign, August 2, 2010
• NSEC3 Hash Performance (pdf), Yuri Schaeffer, NLnet Labs, March 18, 2010
  Abstract: When signing a zone with DNSSEC and NSEC3, a choice has to be made for the key size and the number of hash iterations. We have measured the effect of the number of hash iterations in NSEC3 in terms of maximum query load using NSD and Unbound. This document presents the results of these measurements and compares the cost for validating and authoritative name servers and allows for an educated choice for these parameters.
• DNS security reaches 'key' milestone (NetworkWorld article on root key signing ceremony, June 16, 2010)
• The US Department of Commerce National Telecommunications and Information Administration (NTIA) has issued a Public Notice regarding the deployment of DNSSEC in the root zone. The Public Notice makes reference to the final report submitted to NTIA by ICANN and VeriSign which contains a summary of the project work to date together with a recommendation that full deployment should proceed. The Public Notice included a public review period. (Comment period now closed.)
• Final Report on DNSSEC Deployment in the Root Zone (pdf)
  This document was jointly prepared by ICANN and VeriSign, and submitted to NTIA.
• RIPE NCC Operated K-Root Server Distributing Root Zone Signed with DNSSEC (March 24, 2010)
  K-root, one of the 13 root name servers, distributing the root zone signed with DNSSEC as part of a global deployment plan that will see all 13 root zone servers signed by 1 July 2010.
• Comcast DNSSEC Statement (Feb 2010)
  By the end of 2011, we plan to implement DNSSEC validation for all of our customers...
  • More info at Comcast DNSSEC Information Center
• Roll Over and Die? (Problems related to key rollover) (Feb 2010)
  George Michaelson, Patrik Wallström, Roy Arends, Geoff Huston
  • ISC's Response to Concerns Expressed Around Misconfigured Trust Anchors and Aggressive Validator Behavior

Useful Links

• ARIN (American Registry for Internet Numbers) DNSSEC
  • Deployment plan
  • Key maintenance procedure
  • Trust anchor list

• Comcast DNSSEC Information Center (How to Participate in the [Comcast] DNSSEC Trial Today...)

• DNSSEC for .edu: Frequently Asked Questions
• DNSCheck - Test your DNS-server and find errors (includes DNSSEC)
• The DNSSEC Deployment Initiative works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet's naming infrastructure, as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors. The U.S. Department of Homeland Security Science and Technology (S&T) Directorate provides support for coordination of the initiative. This site is a tremendous reference resource.
• DNSSEC Links at Internet2 member institutions
  • DNSSEC at Penn
  • DNSSEC at MAGPI
  • DNSSEC at MERIT
• DNSSEC.net: a collection of useful information
• DNSSEC Industry Coalition - a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries. Members work together to establish a consistent set of tools and applications, shared best practices, specifications and shared nomenclature. DNSSEC Industry Coalition members include both generic Top-Level Domain and country code Top-Level Domain registries along with industry and educational experts of the Domain Name System.
• DNSSEC-Tools: The goal of the DNSSEC-Tools project is to create a set of software tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC related technologies.
• DNSViz - A DNS visualization toolDNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
• EDUCAUSE Resources (.edu Registrar)
  • DNSSEC Resource List
  • 7 Things You Should Know About DNSSEC(pdf)
• IETF
  • Domain Name System Operations (Dnsop) Working Group
  • DNS Extensions (Dnsext) Working Group
  • DNS RFCs
• Internet Systems Consortium, Inc. (ISC)
  • BIND (Berkeley Internet Name Domain) is an open-source software implementation of the DNS protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications.
  • ISC's DLV Registry
    DLV (DNSSEC Look-aside Validation) is an extension to the DNSSECbis protocol. It is designed to assist in early DNSSEC adoption by simplifying the configuration of recursive servers. DLV provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information. Without DLV, in the absence of a fully signed path from root to a zone, users wishing to enable DNSSEC-aware resolvers would have to configure and maintain multiple trusted keys into their configuration.
  • SNS@ISC: ISC's DNS Secondary Name Service
    As part of ISC's community outreach and their public benefit mission, in addition to their commercial offering they offer a public-benefit version of SNS@ISC.
• NIST DNSSEC Project
  • The Secure Naming Infrastructure Pilot (SNIP)
• OpenDNSSEC - Open Source software created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative name server.
• Review of administrative tools for DNSSEC
  During the spring of 2010 .SE together with Certezza has conducted a second review of administrative tools for DNSSEC, this time including three new vendors, making a total of eight. ...The products have been divided into five DNS servers and three pure DNSSEC signers. We conclude that the quality of at least six of the management tools is good enough for convenient deployment. Some features is missing from most of the products, including support for signing several zones with a shared key and standardized key migration.
• Root DNSSEC - Information about DNSSEC for the Root Zone
• TERENA TF-Mobility DNSSEC Working Group
  (Trans-European Research and Education Networking Association - Task Force on Mobility)