ICANN Releases Paper on Domain Name Security

Today ICANN releases a paper with the title "DNSSEC @ ICANN - Signing the root zone: A way forward toward operational readiness". The paper explains in more detail than earlier documents what ICANN view on signing of the root zone is. I think the key points mentioned in this paper are true, and in general, I think this document is a good read. It is not long, and summarizes what I would call the current view is. more»

Shouting 'Bug' on a Crowded Internet…

In the last few weeks we've seen two very different approaches to the full disclosure of security flaws in large-scale computer systems. Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London's Oyster card will soon be available to anyone with a laptop computer and a desire to break the law. These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being unresolved. Given that there are inevitably bugs, flaws and unexpected interactions in complex systems, how much information about them should be made public by researchers when the details could be helpful to criminals or malicious hackers? more»

Not a Guessing Game

On Tuesday July 8, CERT/CC published advisory #800113 referring to a DNS cache poisoning vulnerability discovered by Dan Kaminsky that will be fully disclosed on August 7 at the Black Hat conference. While the long term fix for this attack and all attacks like it is Secure DNS, we know we can't get the root zone signed, or the .COM zone signed, or the registrar / registry system to carry zone keys, soon enough. So, as a temporary workaround, the affected vendors are recommending that Dan Bernstein's UDP port randomization technique be universally deployed. Reactions have been mixed, but overall, negative. As the coordinator of the combined vendor response, I've heard plenty of complaints, and I've watched as Dan Kaminsky has been called an idiot for how he managed the disclosure. Let me try to respond a little here, without verging into taking any of this personally... more»

Anti-Phishing and Hong Kong

Planning for a short trip to Hong Kong tomorrow reminded me of Jonathan Shea, something I wanted to blog about but was waiting for the hype around the new generic Top-Level Domains (TLDs) to cool down. Jonathan Shea is an old friend who is in-charge of ".hk". I had the pleasure to catch up with him in Paris ICANN meeting. Before Jonathan, let me talk about something related that happened in Paris. At the Cross Constituency Meeting, there was a presentation by the Anti-Phishing Working Group (APWG). In summary, they were proposing working with registries to take down domain names that are suspected to be involved in phishing. more»

Gartner on New Generic Top Level Domains

Gartner, the well known IT consulting company, has published a report on the new top level domains that will appear some time next year. The report totally misses the mark. In a pure US centric vision, it focuses on ".com" as the must-have TLD, totally overlooking the fact that a ".com" is mostly worthless e.g. in Germany, where ".de" is the TLD one must have to succeed locally... more»

An Astonishing Collaboration

Wow. It's out. It's finally, finally out... So there's a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes...somewhere. Not where it was supposed to... I'm pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn't get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely. It was a good day... more»

Why New TLDs Don't Matter

Lost amid the furor about ICANN's rule change that may (or may not) lead to a flood of TLDs is the uncomfortable fact that almost without exception, the new TLDs created since 2000 have been utter failures. Other than perhaps .cat and .mobi, they've missed their estimates of the number of registrations by orders of magnitude, and they haven't gotten mindshare in the target community. So what went wrong? more»

New Generic Top-Level Domains and Internet Standards

The recent decision by ICANN to start a new round of applications for new generic Top-Level Domains (gTLDs) is launching a round of questions on the IETF side about its consequences. One possible issue may be with vanity gTLDs like apple, ebay etc. Some expect that every Fortune 1,000,000 company will apply for its own TLD. My guess is rather the Fortune 1,000 for a start, but this does not change the nature of the issue, i.e. those companies may want to use email addresses like user@tld. more»

ICANN's New gTLD Process: Hype and Reality

At its 32d International Junket Meeting last week, ICANN's Board approved the GNSO Council's recommendations for the eventual addition to the root of new generic top-level domains (gTLDs). This means that eventually, when the staff drafts, community comments upon, and Board approves implementation processes, those with deep pockets will have the opportunity to bid for new TLD strings... more»

The SocialDNS Project… and Why DNS is Not the Phone Book of the Internet

In this article I will explain the motivations behind the SocialDNS Project. I will justify why the DNS system is NOT the phone book of the Internet. More concretely, DNS is not a public directory nor enables search mechanisms over meta-information related to domains. In this line, I will present the advantages of SocialDNS, a naming and directory system that aims to become the phone book of the Web. SocialDNS is NOT another alternative DNS root nor aims to replace the current DNS for resolving domain names. It complements the existing DNS to offer advanced services that are beyond the scope of the existing infrastructure for Web settings. more»