Friday, March 30, 2012

Ingredients coming together for global DNSSEC deployment - are you ready?

It's been a year since .com was signed, which was a major step forward towards Internet community support for DNSSEC implementation given that nearly 45% of all Internet domains fall within the .com branch. I was curious how other top level domains (TLDs) were doing in this regard so I checked out the ICANN Research site for TLD signing statistics. As shown in the following summary table, 22.5% of TLDs were signed a year ago, while 29.1% are signed as of today. This 31% jump in signed TLDs represents good progress, but there's still a way to go to get to DNSSEC ubiquity in chains of trust to the root zone.
March 2011March 2012
TLDs in the root zone306313
TLDs signed6991
% TLDs signed22.5%29.1%

Another boost to DNSSEC deployment was announced last week in the form of a pending FCC recommendation that promotes the deployment of DNSSEC planned by several major ISPs. These ISPs will be implementing DNSSEC validation on their recursive servers, which their customers query for DNS resolution. That is, as their customers issue DNS queries to these ISP recursive servers, the servers will resolve the query and attempt to validate the query signatures up the chain of trust to the root (or other configured trusted key).

This ISP deployment of DNSSEC should protect broadband users from website hijacking and other DNS cache poisoning style attacks. That is if the websites these users are attempting to access are signed. With growing TLD adoption of DNSSEC and an expected jump in recursive servers validating queries via DNSSEC thanks to this ISP initiative, the way forward is clear if your TLD is signed. All you have to do is sign your Internet zones and provide your parent zone registrar with your corresponding Delegation Signer (DS) records to link you into the DNSSEC chain of trust.

I believe the hesitancy with DNSSEC implementation is more deeply rooted in the complexity of DNSSEC configuration and the burden of ongoing management requirements for key rollovers and refreshing signatures than in the lack of widescale DNSSEC deployment. In many cases, this lack of deployment has served as a legitimate barrier to implementation, but this will soon cease to be the case.

As for DNSSEC complexity, BT Diamond IP offers a simple solution to signing your DNS information and ongoing maintenance: the Sapphire Sx20 appliance can be configured with your signing and rollover policies so you can set it and forget it. It will automatically roll keys, update signatures, even auto-update DS records accordingly for your subzones. The barriers to deploying DNSSEC are dwindling. Will you protect the integrity of your web resources?

Thursday, March 29, 2012

What would you ask about IPv6?

I am in the process of compiling questions for the 2012 rendition of BT Diamond IP's IPv6 survey. This survey is open to anyone wishing to express their opinion about the state of IPv6 and deployment plans. While I'd like to retain some of the questions from last year's survey to identify shifts or trends in opinion, there's always room for one or two additional questions. So if there's a question that's on your mind, feel free to post a comment to this blog post and I'll consider it!

I'm interested in what people are thinking about what conditions would hasten their plans to deploy IPv6, so I'm planning to add a question about this from the perspective of the IPv6 user density on the Internet. What would it take for you to consider this critical mass? 1 % of Internet users being IPv6, or 10%, or even 50%? Let me know if you agree this is a good question or if you have a different metric or any additional question ideas!