DNS

DNS / Recently Commented

DNS Privacy at IETF 104

From time to time the IETF seriously grapples with its role with respect to technology relating to users' privacy. Should the IETF publish standard specifications of technologies that facilitate third-party eavesdropping on communications or should it refrain from working on such technologies? Should the IETF take further steps and publish standard specifications of technologies that directly impede various forms of third party eavesdropping on communications? more

Unexpected Behaviour Observed With DNS Root Servers After Cryptographic Change

The DNS root servers were reported by Verisign to be under unexpected attack from name servers across the Internet following ICANN's recent changes to their cryptographic master keys. more

A Short History of DNS Over HTTP (So Far)

The IETF is in the midst of a vigorous debate about DNS over HTTP or DNS over HTTPS, abbreviated as DoH. How did we get there, and where do we go from here? (This is somewhat simplified, but I think the essential chronology is right.) Javascript code running in a web browser can't do DNS lookups, other than with browser.dns.resolv() to fetch an A record, or implicitly by fetching a URL which looks up a DNS A or AAAA record for the domain in the URL. more

Say YES to DNSSEC

With the latest "DNSpionage" attack, ICANN astutely prompted domain name holders to fully deploy DNSSEC on their names. Afilias absolutely supports this and encourages the same. In this post, I remind you of why DNSSEC is important and our continued role. Afilias has a long history in the development and advocacy of DNSSEC. In 2007, we partnered with Public Interest Registry to help found dnssec-deployment.org. more

Revisiting How Registrants Can Reduce the Threat of Domain Hijacking

Recent events have shown the threat of domain hijacking is very real; however, it is also largely preventable. As Verisign previously noted, there are many security controls that registrants can utilize to help strengthen their security posture. Verisign would like to reiterate this advice within the context of the recent domain hijacking reports. Domains are an important element of internet infrastructure; their functionality and security rely upon many factors such as their delegated name servers. more

The Road Less Traveled: Time Is Running Out for NTIA-Verisign Cooperative Agreement

It is remarkable  -  for all the wrong reasons  -  that only two months remain before the National Telecommunications and Information Administration (NTIA) must make a fateful decision on how it will address its' long-standing Cooperative Agreement with Verisign  -  the private-sector corporation that edits the authoritative address book of the Internet's Domain Name System (DNS), maintains two of the DNS root servers, and operates the .com and .net registries of the Internet, undoubtedly one of the most lucrative concessions ever granted. more

M3AAWG and APWG Do the Best Survey Yet on WHOIS Redaction

M3AAWG, the Messaging, Malware, and Mobile, Anti-Abuse Working Group and APWG, the Anti-Phishing Working Group, surveyed their members about recent WHOIS changes. With over 300 results from security researchers, it's the broadest report yet on WHOIS use. The survey results confirm our concerns that WHOIS was a vital resource for security research, and its loss is a serious and ongoing problem. more

Addressing Infringement: Developments in Content Regulation in the US and the DNS

Over the course of the last decade, in response to significant pressure from the US government and other governments, service providers have assumed private obligations to regulate online content that have no basis in public law. For US tech companies, a robust regime of "voluntary agreements" to resolve content-related disputes has grown up on the margins of the Digital Millennium Copyright Act (DMCA) and the Communications Decency Act (CDA). more

KSK Rollover, Elliptical Curve Vulnerabilities, Surveillance and Privacy. Are We Building Trust?

ICANN just recently performed a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) Rollover. The recent KSK Rollover that took place on the 11th October 2018. The KSK Rollover has been successful and congratulations are in order. The Root Zone DNSSEC Key Signing Key "KSK" is the top most cryptographic key in the DNSSEC hierarchy. The KSK is a cryptographic public-private key pair. more

How to Prepare for the DNSSEC Root KSK Rollover on October 11, 2018

Are you ready? Are your systems prepared so that DNS will keep functioning for your networks? One week from today, on Thursday, October 11, 2018, at 16:00 UTC ICANN will change the cryptographic key that is at the center of the DNS security system - what we call DNSSEC. The current key has been in place since July 15, 2010. This is a long-planned replacement. more

Making Sense of the Domain Name Market - and Its Future

With ever more TLDs, where does it make sense to focus resources? After four years and a quadrupling of internet extensions, what metrics continue to make sense in the domain name industry? Which should we discard? And how do you gain understanding of this expanded market? For registries, future success is dependent on grasping the changes that have already come. For registrars, it is increasingly important to identify winners and allocate resources accordingly. The question is: how? more

(DNS) Security Protocols Do What They Say on the Tin

DNS-over-TLS has recently become a welcome addition to the range of security protocols supported by DNS. It joins TSIG, SIG(0) and DNSSEC to add privacy, and, in the absence of validating stub resolvers, necessary data integrity on the link between a full-service resolver and the users' stub resolver. (The authenticated source feature of TLS may also offer some additional benefits for those of a nervous disposition.) Good stuff. What is not good stuff is... more

DNSSEC and DNS over TLS

The APNIC Blog has recently published a very interesting article by Willem Toorop of NLnet Labs on the relationship between Security Extensions for the DNS (DNSSEC) and DNS over Transport Layer Security. Willem is probably being deliberately provocative in claiming that "DoT could realistically become a viable replacement for DNSSEC." If provoking a reaction was indeed Willem's intention, then he has succeeded for me, as it has prompted this reaction. more

Why You Must Learn to Love DNSSEC

It's been nearly two months since the high profile BGP hijack attack against MyEtherwallet, where crypto thieves used BGP leaks to hijack MEW's name servers, which were on Amazon's Route53, and inserted their own fake name servers which directed victims to their own fake wallet site, thereby draining some people's wallets. It generated a lot of discussion at the time... What isn't fully appreciated is that attack has, in fact, changed the game somewhat... more

WHOIS Users Facing Serious Challenges Caused by Post-GDPR Fragmentation

On May 25, 2018, the European General Data Protection Regulation (GDPR) came into effect, meaning that European data protection authorities (DPAs) can begin enforcing the regulation against non-compliant parties. In preparation, the ICANN Board passed a Temporary Specification for gTLD Registration Data - essentially a temporary policy amendment to its registrar and registry contracts to facilitate GDPR compliance while also preserving certain aspects of the WHOIS system of domain name registration data. more

Industry Updates

Verisign Q4 2018 Domain Name Industry Brief: Internet Grows to 348.7 Million Domains in Q4 of 2018

Afilias Appoints Ram Mohan as Chief Operating Officer

Neustar Logs Into Digital India as the New Technical Services Provider for Country’s .IN Domain

Verisign Q3 2018 Domain Name Industry Brief: Internet Grows to 342.4 Million Domains in Q3 of 2018

Neustar to Acquire Verisign's Security Services Customer Contracts

Afilias Sets GUINNESS WORLD RECORDS Title for the Largest Migration of a TLD in a Single Transition

Operational Update Regarding the KSK Rollover for Administrators of Recursive Name Servers

eco/i2Coalition Update Webinar on ICANN Contracted Party GDPR Compliance

DNS-Based Threats: Cache Poisoning

dotPR Addresses Remain Operational Despite Puerto Rico Island Wide Power Outage

KSK Rollover Webinar to Be Held with ECO and ICANN Tuesday, April 24th

Afilias to Support ICANN Community Response to the EU's GDPR

DNS-Based Threats: DNS Reflection and Amplification Attacks

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital