DNS Security

Noteworthy

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

 DNSSEC technology standards have been stable and mature since 2007, with only updates, clarifications, and new functionality added since then.

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

Blogs

Call for Participation - DNSSEC Workshop at ICANN 59 in Johannesburg

Do you have ideas about DNSSEC or DANE that you would like to share with the wider community? Have you created a new tool or service? Have you found a way to use DNSSEC to secure some other service? Do you have new statistics about the growth or usage of DNSSEC, DANE or other related technology? If so, and if you will be in Johannesburg, South Africa, for ICANN 59 in June 2017 (or can get there), please consider submitting a proposal to speak at the ICANN 59 DNSSEC Workshop! more»

ICANN Complaint System Easily Gamed

ICANN's WDPRS system has been defeated. The system is intended to remove or correct fraudulently registered domains, but it does not work anymore. Yesterday I submitted a memo to the leadership of the ICANN At-Large Advisory Committee (ALAC) and the greater At-Large community. The memo concerns the details of a 214-day saga of complaints about a single domain used for trafficking opioids. more»

And the Wait Continues for .Corp, .Home and .Mail Applicants

On 6 March 2017, ICANN's GDD finally responded to an applicant letter written on 14 August 2016 to the ICANN Board. This was not a response from the ICANN Board to the letter from 2016 but a response from ICANN staff. The content of this letter can best be described as a Null Response. It reminded the applicants that the Board had put the names on hold and was still thinking about what to do. more»

Here is the DNSSEC Activity at ICANN 58 in Copenhagen March 12-15, 2017

Want to learn more about the current state of DNSSEC? Want to see demos of new software to secure email? Curious about the potential impact of the Root Key Rollover happening this year? Next week in Copenhagen, Denmark, ICANN 58 will include some great technical info about DNSSEC and DANE happening in several sessions. Here is the plan... more»

At the NCPH Intersessional, Compliance Concerns Take Centre Stage

The non-contracted parties of the ICANN community met in Reykjavík last week for their annual intersessional meeting, where at the top of the agenda were calls for more transparency, operational consistency, and procedural fairness in how ICANN ensures contractual compliance. ICANN, as a quasi-private cooperative, derives its legitimacy from its ability to enforce its contracts with domain name registries and registrars... more»

The Root of the DNS

Few parts of the Domain Name System are filled with such levels of mythology as its root server system. Here I'd like to try and explain what it is all about and ask the question whether the system we have is still adequate, or if it's time to think about some further changes. The namespace of the DNS is a hierarchically structured label space. Each label can have an arbitrary number of immediately descendant labels, and only one immediate parent label. more»

Cyber-Terrorism Rising, Existing Cyber-Security Strategies Failing, What Are Decision Makers to Do?

While conventional cyber attacks are evolving at breakneck speed, the world is witnessing the rise of a new generation of political, ideological, religious, terror and destruction motivated "Poli-Cyber™" threats. These are attacks perpetrated or inspired by extremists' groups such as ISIS/Daesh, rogue states, national intelligence services and their proxies. They are breaching organizations and governments daily, and no one is immune. more»

New Report on "State of DNSSEC Deployment 2016" Shows Continued Growth

Did you know that over 50% of .CZ domains are now signed with DNS Security Extensions (DNSSEC)? Or that over 2.5 million .NL domains and almost 1 million .BR domains are now DNSSEC-signed? Were you aware that around 80% of DNS clients are now requesting DNSSEC signatures in their DNS queries? And did you know that over 100,000 email domains are using DNSSEC and DANE to enable secure email between servers? more»

Call for Participation - ICANN DNSSEC Workshop at ICANN58 in Copenhagen

Do you have new information about DNSSEC or DANE that you would like to share with the wider community? Have you created a new tool or service? Have you found a way to use DNSSEC to secure some other service? Do you have new statistics about the growth or usage of DNSSEC, DANE or other related technology? If so, and if you will be in Copenhagen, Denmark, for ICANN 58 in March 2017 (or can get there), please consider submitting a proposal to speak at the ICANN 58 DNSSEC Workshop! more»

DNSSEC Activities at ICANN 57 in Hyderabad on 4-7 November 2016

Friday marks the beginning of the ICANN 57 meeting in Hyderabad, India. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing. Here is what is happening. All times below are India Standard Time (IST), which is UTC+05:30. Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted! more»

Taking a Closer Look at the Recent DDoS Attacks and What it Means for the DNS

The recent attacks on the DNS infrastructure operated by Dyn in October 2016 have generated a lot of comment in recent days. Indeed, it's not often that the DNS itself has been prominent in the mainstream of news commentary, and in some ways, this DNS DDOS prominence is for all the wrong reasons! I'd like to speculate a bit on what this attack means for the DNS and what we could do to mitigate the recurrence of such attacks. more»

Trust Isn't Easy: Drawing an Agenda from Friday's DDoS Attack and the Internet of Things

Last week, millions of infected devices directed Internet traffic to DNS service provider Dyn, resulting in a Distributed Denial of Service (DDoS) attack that took down major websites including Twitter, Amazon, Netflix, and more. In a recent blog post, security expert Bruce Schneier argued that "someone has been probing the defences of the companies that run critical pieces of the Internet". This attack seems to be part of that trend. This disruption begs the question: Can we trust the Internet? more»

A Great Collaborative Effort: Increasing the Strength of the Zone Signing Key for the Root Zone

A few weeks ago, on Oct. 1, 2016, Verisign successfully doubled the size of the cryptographic key that generates DNSSEC signatures for the internet's root zone. With this change, root zone DNS responses can be fully validated using 2048-bit RSA keys. This project involved work by numerous people within Verisign, as well as collaborations with ICANN, Internet Assigned Numbers Authority (IANA) and National Telecommunications and Information Administration (NTIA). more»

Increasing the Strength of the Zone Signing Key for the Root Zone, Part 2

A few months ago I published a blog post about Verisign's plans to increase the strength of the Zone Signing Key (ZSK) for the root zone. I'm pleased to provide this update that we have started the process to pre-publish a 2048-bit ZSK in the root zone for the first time on Sept. 20. Following that, we will publish root zones with the larger key on Oct. 1, 2016. more»

Refutation of the Worst IANA Transition FUD

Of all the patently false and ridiculous articles written this month about the obscure IANA transition which has become an issue of leverage in the partisan debate over funding the USG via a Continuing Resolution, this nonsense by Theresa Payton is the most egregiously false and outlandish. As such, it demands a critical, nearly line by line response. more»

News Briefs

NIST Publishes Guide for DNS-Based Email Security, Draft Open for Public Comments

Sweden Makes its TLD Zone File Publicly Available

Large Volume of DNSSEC Amplification DDoS Observed, Akamai Reports

91.3% of Malware Use DNS as a Key Capability

ISOC's DNSSEC Deployment Map Available In Global Internet Maps (Interactive)

Paul Vixie on How the Openness of the Internet Is Poisoning Us

GSA Looking Into .gov Outages

ISOC Joins Forces with Shinkuro and Parsons to Promote Global Deployment of DNSSEC

U.S. CERT Issues Alert on DNS Amplification Attacks

Google Announces DNSSEC Support for Public DNS Service

Report Reveals Planned DNSSEC Adoption of 2010 by Key Industries Still in Limbo

Internet Society ION Conferences: Call for Speakers - IPv6 and DNSSEC Experts

Google Notifying Half a Million Users Affected By DNSChanger

DNSChanger Disruption Inevitable, ISPs Urged to Bolster User Support

Why SOPA Defender Joins Internet Society as Regional Director

NASA Website Blocked Due to DNSSEC Error

Comcast Announces Completion of DNSSEC Deployment

Internet Groups Inaugurate First of Three Cyber Security Facilities

Experts Urge Congress to Reject DNS Filtering from PROTECT IP Act, Serious Technical Concerns Raised

Nominet Rolls Out DNSSEC for 9.4 Million .UK Domains

Most Viewed

Most Commented

Afilias Updates – Sponsor

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

IDG's Computerworld announces Ram Mohan, Afilias' executive vice president and chief technology officer, as a 2016 Premier 100 Technology Leaders honoree. This year's Premier 100 spotlights 100 leaders of companies for their exceptional technology leadership and innovative approaches to business challenges. ›››

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

IONs are part of the Internet Society's Deploy360 Programme, which aims to foster the global adoption of key Internet technology standards such as IPv6, DNSSEC, and secure routing protocols. ›››

Being a .PRO When Choosing a Registry Services Partner

We're excited to bring a new top-level domain into the Afilias family and help grow the use of it. I also think it shows that the top-level domain business is a unique one -- and it's not one to be entered into lightly. ›››

Afilias Says "No" to SOPA

The Stop Online Piracy Act (SOPA) is the subject of substantial controversy in the United States, and the domain name industry is squarely in the middle of the debate. Many DNS service providers and technology developers in the industry oppose SOPA, Afilias among them. Here's why. ›››

Afilias Secures .GI, .MN, and .SC Domains with DNSSEC

Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for .GI, the country code Top Level Domain (ccTLD) for Gibraltar, .MN for Mongolia, and .SC for the Seychelles. ›››

Afilias and DotAsia Collaborate on DNSSEC Implementation for .ASIA

This week, at the 79th Internet Engineering Task Force (IETF) meeting in Beijing, China, Afilias and DotAsia jointly announced that Domain Name System Security Extensions (DNSSEC) has been enabled for the .ASIA top-level domain. ›››

Afilias Improves Security for .IN Domain With DNSSEC

Afilias today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for the .IN country code top-level domain (TLD) for the country of India, improving global security for this domain which houses over 700,000 .IN domains. ›››

Industry Updates

Participants – Random Selection