DNS / Featured Blogs

DNS-Based DDoS: Diverse Options for Attackers

Denial of service attacks have been around since the Internet was commercialized and some of the largest attacks ever launched relied on DNS, making headlines. But every day a barrage of smaller DNS-based attacks take down targets and severely stress the DNS ecosystem. Although DNS servers are not usually the target of attacks they are often disrupted so attention from operation teams is required. There is no indication the problem is going away and attackers continue to innovate. more»

Registration Operations is More Than Just Registering Domain Names

Perceptions can be difficult to change. People see the world through the lens of their own experiences and desires, and new ideas can be difficult to assimilate. Such is the case with the registration ecosystem. Today's operational models exist because of decisions made over time, but the assumptions that were used to support those decisions can (and should) be continuously challenged to ensure that they are addressing today's realities. Are we ready to challenge assumptions? Can the operators of registration services do things differently? more»

Join Live On Sunday - 2nd Registration Operations Workshop (ROW) In Dallas

This Sunday, March 22, 2015, the second Registration Operations Workshop (ROW) will be taking place at the Fairmont Dallas hotel from 12:30 -- 4:30 pm CDT. Discussion will include extensions to EPP, new encryption initiatives and also suggestions for ways to further automate DNS interactions between registries, registrars and DNS operators, including a need to do this for DNSSEC. more»

Is DNSSEC Worth the Effort?

A blog post has created some attention online through its extremely negative attitude to DNSSEC. Through the years, I have come in contact with many arguments against DNSSEC that suggest that anyone who is critical has not managed to or wanted to familiarize themselves with what DNSSEC is and does. We have received many questions concerning the article, so I feel it's appropriate to respond to the criticism. more»

Seeking Proposals for ICANN 53 DNSSEC Workshop on June 24, 2015, in Buenos Aires

Are you interested in sharing lessons you've learned in deploying DNSSEC or DANE with the wider community? Have you performed new measurements related to DNSSEC deployment that you want to share publicly? Do you have a new tool or service that you think people in the DNSSEC community would find interesting? Are you seeking feedback on some ideas you have to make DNSSEC better or easier to deploy? more»

The DNS Still Isn't a Directory

Back in the mid 1990s, before ICANN was invented, a lot of people assumed that the way you would find stuff on the Internet would be through the Domain Name System. It wasn't a ridiculous idea at the time. The most popular way to look for stuff was through manually managed directories like Yahoo's, but they couldn't keep up with the rapidly growing World Wide Web. Search engines had been around since 1994, but they were either underpowered and missed a lot of stuff, or else produced a blizzard of marginally relevant results. more»

Minimum Disclosure: What Information Does a Name Server Need to Do Its Job?

Two principles in computer security that help bound the impact of a security compromise are the principle of least privilege and the principle of minimum disclosure or need-to-know. As described by Jerome Saltzer in a July 1974 Communications of the ACM article, Protection and the Control of Information Sharing in Multics, the principle of least privilege states, "Every program and every privileged user should operate using the least amount of privilege necessary to complete the job." more»

ICANN's Auction Piggy Bank Just Got Twice As Big

Kieren McCarthy reports in The Register that an obscure Panamanian company paid $30 million for .BLOG in the January 21 domain auction. ICANN's web site confirms that the domain did go to the Panamanian company. It doesn't report the amount, but Kieren's sources are usually correct. If so, the auction proceeds piggy bank just doubled from $30M to $60M dollars, and ICANN still has no idea what to do with it. more»

Notes from NANOG 63

The following is a selected summary of the recent NANOG 63 meeting, held in early February, with some personal views and opinions thrown in! ...One view of the IETF's positioning is that as a technology standardisation venue, the immediate circle of engagement in IETF activities is the producers of equipment and applications, and the common objective is interoperability. more»

The Why and How of DNS Data Analysis

A network traffic analyzer can tell you what's happening in your network, while a Domain Name System (DNS) analyzer can provide context on the "why" and "how." This was the theme of the recent Verisign Labs Distinguished Speaker Series discussion led by Paul Vixie and Robert Edmonds, titled Passive DNS Collection and Analysis -- The "dnstap" Approach. more»