In the spirit of avoiding duplication of effort and reinvention of wheels, we have taken the Internet2 DNSSEC SIG dormant as of December 2013. We encourage you instead to participate in the Internet Society's DNSSEC effort led by Dan York. See http://www.internetsociety.org/deploy360/dnssec/
For reference, here is the DNSSEC Community page that includes mailing list info and more: http://www.internetsociety.org/deploy360/dnssec/community/
We would also encourage you to watch their blog to keep up to date on DNSSEC-related news: http://www.internetsociety.org/deploy360/blog/category/dnssec/
The <email@example.com> mailing list will remain alive, and access to the archives will remain unchanged. But we do urge you to subscribe to the Internet Society <dnssec-coord> list and use that as the primary venue for discussion.
Also, see press release Internet Society Collaborates with Shinkuro and Parsons to Promote Global Deployment of Domain Name System Security Extensions (DNSSEC) (16 July 2013)
See the Spaces Instructions for editing access.
This SIG (Special Interest Group) is intended as a collaborative forum for the research and education community, to share information and support each other in deploying DNSSEC - the Domain Name System Security Extension.
NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.
- Shumon Huque, University of Pennsylvania
- Michael Sinatra, ESnet
- To subscribe to the e-mail list, send an e-mail to <pubsympa AT internet2.edu> with the following message in the subject:
- subscribe DNSSEC FirstName LastName
- To set a watch on this wiki space, to be notified of changes at the e-mail address in your profile, use the menu at the top of this page:
- Browse => Advanced => Start watching this space (under Subscribe in the left nav)
- To edit the e-mail address in your profile, use the menu at the top of this page:
\[UserName\] => Preferences => Edit Profile (tab)
Information obtained from SecSpider - the DNSSEC Monitoring Project as of 8-June-2011
A compilation of DNS capabilities and statistics for a several categories of institutions (Internet2, ESnet, NYSERnet, GigaPoPs, Leading Tech companies, TLDs etc). The data are currently updated once per week. Maintained by Shumon Huque.
Upcoming Events of Interest
Past Events of Interest
- A survey of DNSSEC deployment in the US R&E Community, Joint Techs Conference, July 16th 2012, Palo Alto, CA
- DNS and DNSSEC Tutorial, PICC 12 Conference, May 12th 2012, New Brunswick, NJ
- DNSSEC workshop at FOSE, April 3, 2012, Washington DC
- (Scroll down past the photos to get to the actual agenda.) Cost is $45.
- ICANN DNSSEC Workshop, March 14, 2012, San Jose, Costa Rica
- Securing and Trusting Internet Names, SATIN 2012, March 22-23, 2012, Teddington, UK
- ICANN DNSSEC Workshop 26 October 2011
- Winter 2011 ESCC/Internet2 Joint Techs
January 30 - February 3, 2011
- Higher Education Experiences with DNSSEC Signing
Fall 2010 Internet2 Member Meeting November 3, 2010
- ICANN DNSSEC Workshop
Brussels, June 23, 2010
- EDUCAUSE Security Professionals Conference: The Shifting Landscape: Changing Mind-Sets
April 12-14, 2010, Atlanta, GA
- Internet2 Spring Member Meeting
April 26-28, 2010, Arlington VA
- TERENA Networking Conference 2010
May 31-June 3, 2010, Vilnius, Lithuania,
- DNSSEC Workshop at the ICANN Meeting in Nairobi, Kenya (presentations and transcript available)
Wednesday, March 10, 2010
February 24, 2010, Austin, TX
February 18, 2010, Vienna, Austria
- Winter 2010 ESCC/Internet2 Joint Techs
January 31 - February 4, 2010
- Summer 2009 ESCC/Internet2 Joint Techs
July 19 - July 22, 2009
Articles of Interest
- FCC Publishes DNSSEC Recommendations for ISPs through one of the working groups of its Communications Security, Reliability and Interoperability Council (CSRIC). The 29-page PDF is available HERE.
- NASA Teething Troubles Teach a DNSSEC Lesson (CircleID Mar. 22, 2012)
- DNSSEC with BIND 9.8.0 (Tony Finch, May 4, 2011)
- BIND 9 DNSSEC Validation Fails on new DS record (Feb. 4, 2011)
Certain versions of BIND have a known bug which will cause DNSSEC validation errors when a new DS record is inserted into a trusted DNSSEC validation tree. This occurred when .NET was inserted into the root. These failures will cause BIND 9 to return SERVFAIL to queries under this newly inserted DS...
- Final report: _DNSSEC in SURFdomeinen
The report is targeted at fellow NRENs. The aim is to give a high-level overview of how we implemented DNSSEC in our managed DNS environment and the lessons we learned.
- Helping Secure the Internet with DNSSEC_by Allie Hopkins and John C. Borne, Louisiana State University
EDUCAUSE Quarterly Magazine, October 2010
- Operational Challenges When Implementing DNSSEC (PDF, see page 16)
by Torbjörn Eklöv, Interlan Gefle AB, and Stephan Lagerholm, Secure64 Software Corp.
The Internet Protocol Journal, June 2010
- DNSSEC Launched Today by EDUCAUSE and VeriSign, August 2, 2010
- NSEC3 Hash Performance (pdf), Yuri Schaeffer, NLnet Labs, March 18, 2010
Abstract: When signing a zone with DNSSEC and NSEC3, a choice has to be made for the key size and the number of hash iterations. We have measured the effect of the number of hash iterations in NSEC3 in terms of maximum query load using NSD and Unbound. This document presents the results of these measurements and compares the cost for validating and authoritative name servers and allows for an educated choice for these parameters.
- DNS security reaches 'key' milestone (NetworkWorld article on root key signing ceremony, June 16, 2010)
- The US Department of Commerce National Telecommunications and Information Administration (NTIA) has issued a Public Notice regarding the deployment of DNSSEC in the root zone. The Public Notice makes reference to the final report submitted to NTIA by ICANN and VeriSign which contains a summary of the project work to date together with a recommendation that full deployment should proceed. The Public Notice included a public review period. (Comment period now closed.)
- Final Report on DNSSEC Deployment in the Root Zone (pdf)
This document was jointly prepared by ICANN and VeriSign, and submitted to NTIA.
- RIPE NCC Operated K-Root Server Distributing Root Zone Signed with DNSSEC (March 24, 2010)
K-root, one of the 13 root name servers, distributing the root zone signed with DNSSEC as part of a global deployment plan that will see all 13 root zone servers signed by 1 July 2010.
- Comcast DNSSEC Statement (Feb 2010)
By the end of 2011, we plan to implement DNSSEC validation for all of our customers...
- Roll Over and Die? (Problems related to key rollover) (Feb 2010)
George Michaelson, Patrik Wallström, Roy Arends, Geoff Huston
- ARIN (American Registry for Internet Numbers) DNSSEC
[Comcast DNSSEC Information Center|http://www.dnssec.comcast.net/] (_How to Participate in the \[Comcast\] DNSSEC Trial Today..._)
- DNSSEC for .edu: Frequently Asked Questions
- DNSCheck - Test your DNS-server and find errors (includes DNSSEC)
- The DNSSEC Deployment Initiative works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet's naming infrastructure, as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors. The U.S. Department of Homeland Security Science and Technology (S&T) Directorate provides support for coordination of the initiative. This site is a tremendous reference resource.
- DNSSEC Links at Internet2 member institutions
- DNSSEC.net: a collection of useful information
- DNSSEC Industry Coalition - a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries. Members work together to establish a consistent set of tools and applications, shared best practices, specifications and shared nomenclature. DNSSEC Industry Coalition members include both generic Top-Level Domain and country code Top-Level Domain registries along with industry and educational experts of the Domain Name System.
- DNSSEC-Tools: The goal of the DNSSEC-Tools project is to create a set of software tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC related technologies.
- DNSViz - A DNS visualization toolDNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
- EDUCAUSE Resources (.edu Registrar)
- Internet Systems Consortium, Inc. (ISC)
- BIND (Berkeley Internet Name Domain) is an open-source software implementation of the DNS protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications.
- ISC's DLV Registry
DLV (DNSSEC Look-aside Validation) is an extension to the DNSSECbis protocol. It is designed to assist in early DNSSEC adoption by simplifying the configuration of recursive servers. DLV provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information. Without DLV, in the absence of a fully signed path from root to a zone, users wishing to enable DNSSEC-aware resolvers would have to configure and maintain multiple trusted keys into their configuration.
- SNS@ISC: ISC's DNS Secondary Name Service
As part of ISC's community outreach and their public benefit mission, in addition to their commercial offering they offer a public-benefit version of SNS@ISC.
- NIST DNSSEC Project
- OpenDNSSEC - Open Source software created as an open-source turn-key solution for DNSSEC. It secures zone data just before it is published in an authoritative name server.
- Review of administrative tools for DNSSEC
During the spring of 2010 .SE together with Certezza has conducted a second review of administrative tools for DNSSEC, this time including three new vendors, making a total of eight. ...The products have been divided into five DNS servers and three pure DNSSEC signers. We conclude that the quality of at least six of the management tools is good enough for convenient deployment. Some features is missing from most of the products, including support for signing several zones with a shared key and standardized key migration.
- Root DNSSEC - Information about DNSSEC for the Root Zone
- TERENA TF-Mobility DNSSEC Working Group
(Trans-European Research and Education Networking Association - Task Force on Mobility)