This document provides an overview and summary of a webinar for registrars about DNSSEC and PIR's implementation of DNSSEC for the .ORG top-level domain. The webinar covers topics like how DNSSEC works to secure DNS data and prevent cache poisoning, the benefits of DNSSEC for end users, registrants and registrars, PIR's timeline and process for implementing DNSSEC for .ORG, an introduction to DNSSEC terminology, changes to the EPP protocol and registry database, and resources for registrars. The presentation aims to educate registrars on DNSSEC and PIR's rollout so they can support it for domains under .ORG.

1. DNSSEC Registrar Review DNSSEC Industry Coalition Webinar SeriesBrought to you by .ORG, The Public Interest Registry and Afilias

2. Lauren Price, DNSSEC Industry Coalition ChairSr. Product Marketing Manager, .ORG The Public Interest Registrylprice@pir.orgJim Galvin, AfiliasDirector, Strategic Relationships & Technical Standardsjgalvin@afilias.infoSadik Chandiwala, AfiliasTechnical Account Managersadik@ca.afilias.infoPanelists2

3. AgendaThe Vulnerability of DNSQuick Intro to DNSSECPIR and DNSSEC TimelineFriends and Family ProgramSome DNSSEC TerminologyOT&E Functionality and ChangesEPPEtc.ResourcesQuestions

4. Today…When you visit a web site, send an email, or download software, can you be sure you are communicating with the server that you think you are? The answer is ‘no’, at least not with certainty.

5. What is DNSSEC and what does it protect us from?DNSSEC (short for Domain Name System Security Extensions) adds security to the Domain Name System. DNSSEC is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.

6. Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without question. If a malicious system were to send back an incorrect response, the resolver would use this address until its cache expired. This is bad enough if a single user's computer gets this bad data, but it is much worse if it's another name server that answers queries for an ISP – affecting thousands of users. What does cache poisoning look like?

7. DNSSEC BasicsIt provides proof that DNS data has not been modified in transit to the end-userIt does this by providing additional information, something like a “seal of origin”, that can be verified as being correct or not.It is a set of extensions to DNS, which provide: origin authentication of DNS data, data integrity, and authenticated denial of existence.

8. How does DNSSEC work?Each piece of a domain’s DNS information has a digital signature attached to it. When a user enters the domain in a browser, the resolver verifies the signature.If it does not match, the resolver discards the response and waits for another.Only a response with a verified signature will be accepted by the resolverThe description above is a common scenario. Please note that different resolvers may take different actions** Note: DNSSEC only adds signatures to DNS data. It does not encrypt anything. It has no effect on increasing the privacy of the DNS, and information in the DNS is still public information.

9. Benefits of DNSSECEnd User BenefitsEnsures you are communicating to the correct websiteEnd Users that are not DNSSEC aware will not see any adverse effect. Registrant BenefitsMitigates the risk of possible fraud Greater protection of brand Significantly decreases the threat of domain hijacking

10. Benefits of DNSSECRegistrar BenefitsAbility to meet Registrant demands for increase security of their domainAbility to continue to sell domains that are not secured by DNSSEC for those registrants who are not interested.Complying with new industry standardsRegistry BenefitsMeeting new industry standardsAbility to meet Registrar demands for increase security of their portfolio of domains

11. .ORG & DNSSEC Why?

12. Top five perceptions of the .ORG Brand*InformativeWell-IntentionedTrustworthyValuable InformationReliableWe expect to keep it that way!12Our Brand & Reputation* Source: e5 Marketing Survey of over 10,000 respondents in an electronic form, November 2008

13. Friends and Family Program Milestones.ORG zone signed June 2, 2009

14. Registrars can participate in the testing phase

15. Registrars are encouraged to test in OTE

16. A certification test will be required

17. 2 registrars have passed their certification test to date

18. We have selected small set of domains and have manually inserted the DS records at the Registry

19. Successful scheduled Key RolloversRegistrar Accreditation ProcessAdditional mandatory .ORG DNSSEC OT&E Test requiredRegistrars must pass the OT&E Test to become DNSSEC AwarePIR will enable DNSSEC functionality for the Registrar after successful completion of the OT&E test.

20. Future Timeline for .ORG DNSSECWe expect to be done with our internal testing by Q409

21. Estimated full production timeframe first half of 2010 meaning registrars can submit live delegations A quick review of DNSSEC terminology…..

22. What is a Resolver?domain.org?User’s PCResolverA DNS resolver is the program on a user’s computer that sends the query to the DNS. Once a response is received, the resolver returns the response back to the end user’s application. 192.0.5.4

23. What is a key pair?A key pair contains two digital keys — a private key (held only by the .ORG registry) and a public key (distributed to the public).The .ORG registry uses the .ORG private key pair to sign the zone. End users' validators (or the validators at their ISPs) use the .ORG public key to validate the signature once they've asked for it.

24. The Chain of Trust If I trust a public key from someone, I can use that key to verify the signature … and authenticate the sourceMake sure the root zone key can be trustedPointers in the root zone point to lower zones (org/com/info/de etc)Each pointer is validated with the previous validated zone keyWhen DNSSEC is fully deployed, only the key for the root zone is needed to validate all the DNSSEC keys on the Internet

25. Root ServersUser’s PCResolver.org authoritative NSdomain.org authoritative NS RecursiveDNS ServerLocal CacheLocal cacheConfidential – Copyright 2008 Afilias Limited

26. Root ServersUser’s PCResolver.ORG authoritative NSdomain.ORG authoritative NS DNSSECDNSSECRecursiveDNS ServerDNSSECLocal cacheConfidential – Copyright 2008 Afilias Limited

27. What is a key rollover?A key rollover will occur when the .ORG registry needs to change its side of a key pair. This means that the entire pair needs to be changedThe .ORG zone will need to be re-signed with a new private keyANDThe public will need to update their validating resolvers with the new public portion of the .ORG zone key.

28. PIR and Key RolloversPIR will be required to do Key Rollovers on a regular basis:If one of the .ORG private keys were compromised (i.e., stolen) and had to be immediately revoked. For prevention of compromise (see next question for further information), where a key rollover would be scheduled at regular intervals.

29. Scheduled Key RolloversDigital signatures are not secure all of the time. They are subject to cryptanalysis.It is possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks. Since every attack requires time to complete, periodically changing the key decreases the length of time an attacker has to attempt the compromise.

30. So......What would happen if end users do not update their validating resolvers with the new .ORG zone key? Once the old key is purged, domains in the .ORG zone that were signed would no longer resolve for those people who did not use the new .ORG key. It would not affect people that are not using DNSSEC – they would continue to see the domain name.

31. Announcing Key RolloversA key rollover will be announced on the PIR Web site prior to the scheduled event Anyone using DNSSEC will have to watch for these announcements, specially ISPs, registrars, and people using DNSSEC in applications.

32. What Changes has Afilias Made to the ORG Registry?Changes have been made to support the DNS protocol. Built New Registrar Tool Kit for DNSSECAdds DNSSEC EPP transactions (RFC 4310) EPP server has been modified for DNSSECAdds DNSSEC EPP transactions (as per RFC 4310) Changes to the Registry Database to now Store DS InformationDNSSEC

33. Registrar OT&ECovered in the ORG manual: Extensible Provisioning Protocol (EPP) v1.0 ORG DNSSEC Registrar Acceptance CriteriaRegistrars must test the basic operations that their client application can perform in the ORG DNSSEC registry environment including:Create DomainCreate Domain with Optional Key DataQuery DomainQuery Domain with Optional Key DataUpdate Domain – Adding DS DataUpdate Domain – Changing DS DataUpdate Domain – Change to Include Optional DataUpdate Domain – Removing DS Data

34. New Resource Record TypesDNSSEC adds four new resource record types: 1. Resource Record Signature (RRSIG)Signature over RRset made using private key 2. DNS Public Key (DNSKEY)Public key, needed for verifying a RRSIG3. Delegation Signer (DS)‘Pointer’ for building chains of authentication4. Next Secure (NSEC3)As an alternative to NSEC, NSEC3 (defined in RFC 5155) can prevent walking of DNSSEC zones and permits optional gradual expansion of delegation-centric zones.

35. NSEC: Indicates which name is the next one in the zone and which type-codes are available for the current nameThe DNSSEC Data FieldsConfidential – Copyright 2005 Afilias Limited

36. Changes to EPP CommandsThe following EPP commands will now contain the optional DNSSEC data:1.Session Mgmt. <login> <logout> 3.Object Transform <create> <delete> <renew> <transfer><update>2.Object Query <check><info> <poll ><transfer>

37. Changes to EPP: <create> domainCreate Domain is changed because a DNSSEC secure domain must be created with a DS record attached to itRegistrar needs to be accredited for creating domain names with DS recordsIf they are not, the system will reject the domain create command and throw a validation error – You are not authorized to perform this action.

38. Changes to EPP : <create> domainIf the maxSigLife is not entered for a <create> domain name with DS records, the system will set it to the default value (40 days)If the user provides empty tags for the following parameters, the domain will not be created and an error message will be returned: secDNS:keyTagsecDNS:algsecDNS:digestType

39. Changes to EPP : <update> domain<update> domain command is now changed as DS information can be added or changed for each domainIf the Registrar is not accredited for creating domain names with DS records and attempts to add DS data to an existing domain name, the system will reject the domain update command and return an errorIf the domain name already has 10 DS records and the sponsoring Registrar attempts to add another, the system will reject the domain update command and return an error per EPP RFC 3730.If the maxSigLife is not entered for a domain name with DS records, the system will set it to the default value (40 days)