DNS Security

Sponsored
by

Noteworthy

Blogs

KSK Rollover, Elliptical Curve Vulnerabilities, Surveillance and Privacy. Are We Building Trust?

ICANN just recently performed a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) Rollover. The recent KSK Rollover that took place on the 11th October 2018. The KSK Rollover has been successful and congratulations are in order. The Root Zone DNSSEC Key Signing Key "KSK" is the top most cryptographic key in the DNSSEC hierarchy. The KSK is a cryptographic public-private key pair. more

How to Prepare for the DNSSEC Root KSK Rollover on October 11, 2018

Are you ready? Are your systems prepared so that DNS will keep functioning for your networks? One week from today, on Thursday, October 11, 2018, at 16:00 UTC ICANN will change the cryptographic key that is at the center of the DNS security system - what we call DNSSEC. The current key has been in place since July 15, 2010. This is a long-planned replacement. more

The Root KSK Rollover? What Does It Mean for Me?

In a little over two weeks, precisely in 17 days (on 11 October 2018 at 16:00 UTC), ICANN will roll the Domain Name System Security Extensions (DNSSEC) root Key Signing Key (KSK). If you are a Domain Name System (DNS) and DNSSEC expert already engaged globally on the topic, you are certainly both well aware and ready for the rollover. This article is probably not for you! If however, you are out there focused on your day to day running or managing a DNS infrastructure... more

(DNS) Security Protocols Do What They Say on the Tin

DNS-over-TLS has recently become a welcome addition to the range of security protocols supported by DNS. It joins TSIG, SIG(0) and DNSSEC to add privacy, and, in the absence of validating stub resolvers, necessary data integrity on the link between a full-service resolver and the users' stub resolver. (The authenticated source feature of TLS may also offer some additional benefits for those of a nervous disposition.) Good stuff. What is not good stuff is... more

A Look at the Current State of DNSSEC in the Wild

The DNS system is, unfortunately, rife with holes like Swiss Cheese; man-in-the-middle attacks can easily negate the operation of TLS and website security. To resolve these problems, the IETF and the DNS community standardized a set of cryptographic extensions to cryptographically sign all DNS records... Now that these standards are in place, how heavily is DNSSEC being used in the wild? How much safer are we from man-in-the-middle attacks against TLS and other transport encryption mechanisms? more

Call for Participation - ICANN DNSSEC Workshop at ICANN63 Barcelona

Do you have a great idea about DNSSEC or DANE that you'd like to share with the wider community? If so, and you're planning to be in Barcelona, Spain for ICANN63 in October 2018, submit a proposal to present your idea at the DNSSEC Workshop! Send a brief (1-2 sentence) description of your proposed presentation to dnssec-barcelona@isoc.org by Friday, 07 September 2018. more

DNSSEC and DNS over TLS

The APNIC Blog has recently published a very interesting article by Willem Toorop of NLnet Labs on the relationship between Security Extensions for the DNS (DNSSEC) and DNS over Transport Layer Security. Willem is probably being deliberately provocative in claiming that "DoT could realistically become a viable replacement for DNSSEC." If provoking a reaction was indeed Willem's intention, then he has succeeded for me, as it has prompted this reaction. more

The Uncertainty of Measuring the DNS

The period around the end of the nineteenth century and the start of the twentieth century saw a number of phenomenal advances in the physical sciences. There was J.J. Thompson's discovery of the electron in 1897, Max Planck's quantum hypothesis in 1900, Einstein's ground-breaking papers on Brownian motion, the photoelectric effect and special relativity in 1905, and Ernest Rutherford's study of the nucleus published in 1911 to mention but a few of the fundamental discoveries of the time. more

Internet Evolution: Another 10 Years Later

Ten years ago, I wrote an article that looked back on the developments within the Internet over the period from 1998 to 2008. Well, another ten years have gone by, and it's a good opportunity to take a little time once more to muse over what's new, what's old and what's been forgotten in another decade of the Internet's evolution... The evolutionary path of any technology can often take strange and unanticipated turns and twists. more

Live On Monday, 25 June - DNSSEC Workshop at ICANN 62 in Panama

With the DNSSEC Root Key Rollover coming up on October 11, how prepared are we as an industry? What kind of data can we collect in preparation? What is the cost-benefit (or not) of implementing DANE? What can we learn from an existing rollover of a cryptographic algorithm? All those questions and more will be discussed at the DNSSEC Workshop at the ICANN 62 meeting in Panama City, Panama, on Monday, June 25, 2018. more

Why You Must Learn to Love DNSSEC

It's been nearly two months since the high profile BGP hijack attack against MyEtherwallet, where crypto thieves used BGP leaks to hijack MEW's name servers, which were on Amazon's Route53, and inserted their own fake name servers which directed victims to their own fake wallet site, thereby draining some people's wallets. It generated a lot of discussion at the time... What isn't fully appreciated is that attack has, in fact, changed the game somewhat... more

Call for Participation - ICANN DNSSEC Workshop at ICANN62, Panama City

Would you like to share information about how you are using DNSSEC with the wider technical community? Do you have an idea for how to make DNSSEC or DANE work better? Or work with new applications? If so - and if you will be attending ICANN 62 in Panama City, Panama from 25-28 June 2018 - then please consider sending in a proposal to participate as a speaker in the ICANN 62 DNSSEC Workshop! more

Takeaways from the DNS-OARC's 28th Workshop

March has seen the first of the DNS Operations, Analysis, and Research Center (OARC) workshops for the year, where two days of too much DNS is just not enough! These workshops are concentrated within two days of presentations and discussions that focus exclusively on the current state of the DNS. Here are my impressions of the meeting. more

Have We Reached Peak Use of DNSSEC?

The story about securing the DNS has a rich and, in Internet terms, protracted history. The original problem statement was simple: how can you tell if the answer you get from your query to the DNS system is 'genuine' or not? The DNS alone can't help here. You ask a question and get an answer. You are trusting that the DNS has not lied to you, but that trust is not always justified. more

CircleID's Top 10 Posts of 2017

It is once again time for our annual review of posts that received the most attention on CircleID during the past year. Congratulations to all the 2017 participants for sharing their thoughts and making a difference in the industry. 2017 marked CircleID's 15th year of operation as a medium dedicated to all critical matters related to the Internet infrastructure and services. We are in the midst of historic times, facing rapid technological developments and there is a lot to look forward to in 2018. more

News Briefs

ICANN Facing Critical Choice for Plan to Change DNS Cryptographic Key

Large-Scale Study by Security Researchers in China Sheds Light on the Scope of DNS Interception

Russia in Talks to Create Independent DNS

IBM Launches Quad9, a DNS-based Privacy and Security Service to Protect Users from Malicious Sites

ICANN Delays Plans to Change DNS Cryptographic Key, Says Near 750 Million People at Risk if Rushed

NIST Publishes Guide for DNS-Based Email Security, Draft Open for Public Comments

Sweden Makes its TLD Zone File Publicly Available

Large Volume of DNSSEC Amplification DDoS Observed, Akamai Reports

91.3% of Malware Use DNS as a Key Capability

ISOC's DNSSEC Deployment Map Available In Global Internet Maps (Interactive)

Paul Vixie on How the Openness of the Internet Is Poisoning Us

GSA Looking Into .gov Outages

ISOC Joins Forces with Shinkuro and Parsons to Promote Global Deployment of DNSSEC

U.S. CERT Issues Alert on DNS Amplification Attacks

Google Announces DNSSEC Support for Public DNS Service

Report Reveals Planned DNSSEC Adoption of 2010 by Key Industries Still in Limbo

Internet Society ION Conferences: Call for Speakers - IPv6 and DNSSEC Experts

Google Notifying Half a Million Users Affected By DNSChanger

DNSChanger Disruption Inevitable, ISPs Urged to Bolster User Support

Why SOPA Defender Joins Internet Society as Regional Director

Most Viewed

Most Commented

Afilias Updates – Sponsor

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

IDG's Computerworld announces Ram Mohan, Afilias' executive vice president and chief technology officer, as a 2016 Premier 100 Technology Leaders honoree. This year's Premier 100 spotlights 100 leaders of companies for their exceptional technology leadership and innovative approaches to business challenges. more

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

IONs are part of the Internet Society's Deploy360 Programme, which aims to foster the global adoption of key Internet technology standards such as IPv6, DNSSEC, and secure routing protocols. more

Being a .PRO When Choosing a Registry Services Partner

We're excited to bring a new top-level domain into the Afilias family and help grow the use of it. I also think it shows that the top-level domain business is a unique one -- and it's not one to be entered into lightly. more

Afilias Says "No" to SOPA

The Stop Online Piracy Act (SOPA) is the subject of substantial controversy in the United States, and the domain name industry is squarely in the middle of the debate. Many DNS service providers and technology developers in the industry oppose SOPA, Afilias among them. Here's why. more

Afilias Secures .GI, .MN, and .SC Domains with DNSSEC

Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for .GI, the country code Top Level Domain (ccTLD) for Gibraltar, .MN for Mongolia, and .SC for the Seychelles. more

Afilias and DotAsia Collaborate on DNSSEC Implementation for .ASIA

This week, at the 79th Internet Engineering Task Force (IETF) meeting in Beijing, China, Afilias and DotAsia jointly announced that Domain Name System Security Extensions (DNSSEC) has been enabled for the .ASIA top-level domain. more

Afilias Improves Security for .IN Domain With DNSSEC

Afilias today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for the .IN country code top-level domain (TLD) for the country of India, improving global security for this domain which houses over 700,000 .IN domains. more

Industry Updates

Participants – Random Selection