1. Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a presentation by Marcus Sachs (SRI) with contributions by members of the DNSSEC Deployment Working Group April 23, 2007

2. Security for the Internet’s Domain Name System DNSSEC Current State: Protocols Core RFCs published: 4033: DNS Security Introduction and Requirements 4034: Resource Records for DNS Security Extensions 4035: Protocol Modifications for the DNS Security Extensions http://www.dnssec.net/rfc for the entire collection NSEC3 is in final stages. DNS Extensions (DNSEXT) Working Group is discussing its future, including the option of self dissolution.

3. Security for the Internet’s Domain Name System The US Department of Homeland Security DNSSEC Deployment Initiative Activities Coordination project: Shinkuro, Sparta, SRI and NIST Roadmap published in February 2005, updated March 2007 to include extensive list of available software tools and guides http://www.dnssec-deployment.org/roadmap.php Multiple workshops held world-wide Monthly newsletter http://www.dnssec-deployment.org/news/dnssecthismonth DNSSEC testbed and testing tools developed by NIST http://www-x.antd.nist.gov/dnssec DNSSEC tools available at http://www.dnssec-tools.org DNSSEC-Deployment Working Group http://www.dnssec-deployment.org Internet2 Cross-Signing Pilot http://www.dnssec-deployment.org/internet2/

4. Security for the Internet’s Domain Name System DNSSEC in the United States US Government US civilian government (.gov) developing policy and technical guidance for secure DNS operations and beginning deployment activities at all levels. The “.us” and “.mil” zones are also on track for DNSSEC compliance New DNSSEC guidance included in FISMA, NIST 800-53r1 http://www.csrc.nist.gov/publications/nistpubs Secure Domain Name System Deployment Guide http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf Outside the US Government Public Internet Registry (PIR): plans for deploying DNSSEC in.org http://pir.org/Strengthening/DNSSec.aspx

5. Security for the Internet’s Domain Name System DNSSEC in the Caribbean: Puerto Rico In July 2006 Puerto Rico’s top-level domain (.pr) was the second ccTLD – country code top level domain – to provide a DNSSEC- signed zone Details: http://www.nic.pr Questions may be addressed to info@nic.pr

6. Security for the Internet’s Domain Name System DNSSEC in Latin America: Mexico and Brazil NIC Mexico is developing the infrastructure, procedures and technology for a future DNSSEC deployment in the.mx ccTLD DNSSEC testbed launched in May 2006 Created a new SLD: test.mx where DNSSEC enabled domain registrations can be made for free Testbed details: http://www.dnssec.org.mx DNSSEC verification tool: http://www.dnssec.org.mx/checkdnssec.html Registro.br released DNSSEC extensions for EPP: http://registro.br/epp/index-EN.html (RFC 4310) http://registro.br/epp/index-EN.html

7. Security for the Internet’s Domain Name System DNSSEC in Europe: RIPE The European infrastructure services provider, RIPE NCC, based in the Netherlands, has deployed DNSSEC in the reverse tree Details are at https://www.ripe.net/rs/reverse/dnssec How-to guide (latest version) at https://www.nlnetlabs.nl/ dnssec_howto

8. Security for the Internet’s Domain Name System DNSSEC in Europe: Sweden In November 2005, the Swedish national registry (.se) was the first ccTLD – country code top level domain – to provide DNSSEC-capable service February 16, 2007,.se launched commercial DNSSEC service Press release (launch): http://www.iis.se/english/nyheter/news/2007-02- 16?lang=en http://www.iis.se/english/nyheter/news/2007-02- 16?lang=en More details, DNSSEC This Month (March 1, 2007) http://www.dnssec-deployment.org/news/dnssecthismonth/200703- dnssecthismonth/

9. Security for the Internet’s Domain Name System DNSSEC in Europe: Bulgaria, Czech Republic and Russia Bulgaria (.bg) has signed its zone. Czech Republic (.cz) is studying the idea of signing its zone as a means of seeding DNSSEC deployment in eastern Europe. R01 (http://www.r01.ru/), a Russian registrar, has a signed copy of the.ru zone available on their name server. ns.dnssec.ru (195.24.65.7) Registrants with a.ru domain using R01 as a registrar can sign their own zones R01 will provide secure delegation in the signed copy of the.ru zone Additional information on the signed zone and how it can be used can be found at http://www.dnssec.ru

10. Security for the Internet’s Domain Name System DNSSEC in Asia DNSSEC summit and workshop during APRICOT 2005, Kyoto http://www.apricot.net/apricot2005/workshop.html#ws5 http://www.psg.com/~mankin/DNSSEC-Kyoto- 21Feb2005/DNSSEC05FebJP-Info.html We need more pilots and workshops in the APNIC region!

11. Security for the Internet’s Domain Name System Stages for Next Steps and Discussion Risk (and cost) analysis CRITICAL! Test and engineering Discussions with many communities, including with the relevant Top Level Domain registries Production Including communication with zone providers, registrars, governing agencies, and software vendors Leadership in the private and public sectors

12. Security for the Internet’s Domain Name System Background Information and Contributors For lots of detailed information: www.dnssec-deployment.org www.dnssec-tools.org www.dnssec.net Authors of materials in this presentation (all from dnssec-deployment working group) Amy Friedlander (Shinkuro) Allison Mankin (Shinkuro) Marcus Sachs (SRI) Ed Lewis (Neustar) Olaf Kolkman (Netlabs.nl) Russ Mundy (Sparta)