DNS Security

Noteworthy

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

 There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

Blogs

DNSSEC Workshop Streaming Live From ICANN 51 On Wednesday, Oct 15

Want to learn about the state of DNSSEC usage in North America? Or what is new in DNS monitoring? Or where DNSSEC fits into the plans of operating systems? Or how DANE is being used to bring a higher level of security to email? All those questions and much more will be discussed at the DNSSEC Workshop at ICANN 51 happening on Wednesday, October 15, 2014, from 8:30 am to 2:45 pm Pacific Daylight Time (PDT, which is UTC-7). more»

Some Observations from NANOG 62

NANOG 62 was held at Baltimore from the 6th to the 9th October. These are my observations on some of the presentations that occurred at this meeting. .. One of the more memorable sides in this presentation was a reference to "map" drawn by Charles Minard in 1869 describing the statistics relating to the Napoleonic military campaign in Russia, and the subsequent retreat. more»

Credit Card Breaches a Salutary Lesson for DNSSEC Adoption

Maintaining an 150 year old house requires two things, a lot of time and a lot of trips to the hardware store. Since the closest hardware store to my house is Home Depot, it is rare that a weekend passes without at least one trip to Home Depot. So now in the wake of the Home Depot data breach I am through no fault of my own in a situation where any or all of the bank cards I use regularly could be cancelled if the issuer decides they might be compromised. And this is not the first time this has happened to me this year. more»

Watch ION Belfast / UKNOF Live Tuesday, Sept 9, for IPv6, DNSSEC, BGP Security and More

On Tuesday, September 9, 2014, you have a great opportunity to watch live a very packed agenda full of great sessions about IPv6, DNSSEC, routing/BGP security and other components of Internet infrastructure streaming out of the UKNOF / ION Belfast event in Belfast, UK. All of the sessions can be seen live. more»

DNSSEC Adoption - A Status Report (Part One)

Where is the domain industry with the adoption of DNSSEC? After a burst of well publicized activity from 2009-2011 -- .org, .com, .net, and .gov adopting DNSSEC, roots signed, other Top-Level Domains (TLDs) signed -- the pace of adoption appears to have slowed in recent years. As many CircleID readers know, DNSSEC requires multiple steps in the chain of trust to be in place to improve online security. more»

Call for Nominations: M3AAWG J. D. Falk Award Seeks Stewards of a Better Online World

Anyone seeking to honor a groundbreaking contribution toward a better online world should submit a nomination for the 2014 M3AAWG J. D. Falk Award. Presented to people whose work on specific projects made the Internet a safer, more collaborative, more inclusive place, the J. D. Falk Award has recognized leaders and pioneers who saw elements of the online experience that needed improvement and took action to fix them.  more»

Some Internet Measurements

At APNIC Labs we've been working on developing a new approach to navigating through some of our data sets the describe aspects of IPv6 deployment, the use of DNSSEC and some measurements relating to the current state of BGP. The intent of this particular set of data collections is to allow the data to be placed into a relative context, displaying comparison of the individual measurements at a level of geographic regions, individual countries, and individual networks. more»

A Great Bit of DNSSEC and DNS at IETF 90 Next Week

For those people tracking the evolution and deployment of DNSSEC or who are just interested in "DNS security" in general there is a great amount of activity happening next week at IETF 90 in Toronto. I dove into this activity in great detail in a recent post, "Rough Guide to IETF 90: DNSSEC, DANE and DNS Security", and summarized the activity in a Deploy360 post... more»

Now Available - A Trend Chart Tracking DNSSEC Validation Globally

How can we track the amount of DNSSEC validation happening globally? Is there a way we can see the trend over time to (we hope!) see validation rise? At the recent excellent DNSSEC Workshop at ICANN 50 in London Geoff Huston let me know that his APNIC Labs team has now created this exact type of trend chart. more»

Painting Ourselves Into a Corner with Path MTU Discovery

In Tony Li's article on path MTU discovery we see this text: "The next attempt to solve the MTU problem has been Packetization Layer Path MTU Discovery (PLPMTUD). Rather than depending on ICMP messaging, in this approach, the transport layer depends on packet loss to determine that the packet was too big for the network. Heuristics are used to differentiate between MTU problems and congestion. Obviously, this technique is only practical for protocols where the source can determine that there has been packet loss. Unidirectional, unacknowledged transfers, typically using UDP, would not be able to use this mechanism. To date, PLPMTUD hasn't demonstrated a significant improvement in the situation." Tony's article is (as usual) quite readable and useful, but my specific concern here is DNS... more»

3 DNSSEC Sessions Happening At ICANN 50 Next Week in London

As I mentioned in a post to the Deploy360 blog today, there are three excellent sessions relating to DNSSEC happening at ICANN 50 in London next week: DNSSEC For Everybody: A Beginner's Guide; DNSSEC Implementers Gathering; DNSSEC Workshop. Find out more. more»

NANOG 61 - Impressions of Some Presentations

The recent NANOG 61 meeting was a pretty typical NANOG meeting, with a plenary stream, some interest group sessions, and an ARIN Public Policy session. The meeting attracted some 898 registered attendees, which was the biggest NANOG to date. No doubt the 70 registrations from Microsoft helped in this number, as the location for NANOG 61 was in Bellevue, Washington State, but even so the interest in NANOG continues to grow... more»

Wow! BIND9 9.10 Is out, and What a List of Features!

Today the e-mail faerie brought news of the release of BIND9 9.10.0 which can be downloaded from here. BIND9 is the most popular name server on the Internet and has been ever since taking that title away from BIND8 which had a few years earlier taken it from BIND4. I used to work on BIND, and I founded ISC, the home of BIND, and even though I left ISC in July 2013 to launch a commercial security startup company, I remain a fan of both ISC and BIND. more»

Proceedings of Name Collisions Workshop Available

Keynote speaker, and noted security industry commentator, Bruce Schneier (Co3 Systems ) set the tone for the two days with a discussion on how humans name things and the shortcomings of computers in doing the same. Names require context, he observed, and "computers are really bad at this" because "everything defaults to global." Referring to the potential that new gTLDs could conflict with internal names in installed systems, he commented, "It would be great if we could go back 20 years and say 'Don't do that'," but concluded that policymakers have to work with DNS the way it is today. more»

DNSSEC Workshop on March 26 to Be Streamed Live from ICANN 49 in Singapore

If you are interested in DNSSEC and how it can make the Internet more secure, the DNSSEC Workshop at ICANN 49 in Singapore will be streamed live for anyone to listen and view. One of three DNSSEC-related technical events at ICANN 49, the DNSSEC Workshop takes place on Wednesday, March 26, from 8:30am - 2:45pm Singapore time. more»

News Briefs

Paul Vixie on How the Openness of the Internet Is Poisoning Us

GSA Looking Into .gov Outages

ISOC Joins Forces with Shinkuro and Parsons to Promote Global Deployment of DNSSEC

U.S. CERT Issues Alert on DNS Amplification Attacks

Google Announces DNSSEC Support for Public DNS Service

Report Reveals Planned DNSSEC Adoption of 2010 by Key Industries Still in Limbo

Internet Society ION Conferences: Call for Speakers - IPv6 and DNSSEC Experts

Google Notifying Half a Million Users Affected By DNSChanger

DNSChanger Disruption Inevitable, ISPs Urged to Bolster User Support

Why SOPA Defender Joins Internet Society as Regional Director

NASA Website Blocked Due to DNSSEC Error

Comcast Announces Completion of DNSSEC Deployment

Internet Groups Inaugurate First of Three Cyber Security Facilities

Experts Urge Congress to Reject DNS Filtering from PROTECT IP Act, Serious Technical Concerns Raised

Nominet Rolls Out DNSSEC for 9.4 Million .UK Domains

Citrix Case Study Features Nixu DDI

Garth Bruen Discussing Whois, DNSSEC and Domain Security

DNSSEC Deployed for .COM, Internet's Largest Top-Level Domain

Most US Federal Websites More than a Year Behind Meeting DNSSEC Mandate

Free Toolkit Lets Organizations, Developers Test-Drive DNSSEC

Most Viewed

Most Commented

Afilias Updates – Sponsor

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

IONs are part of the Internet Society's Deploy360 Programme, which aims to foster the global adoption of key Internet technology standards such as IPv6, DNSSEC, and secure routing protocols. ›››

Being a .PRO When Choosing a Registry Services Partner

We're excited to bring a new top-level domain into the Afilias family and help grow the use of it. I also think it shows that the top-level domain business is a unique one -- and it's not one to be entered into lightly. ›››

Afilias Says "No" to SOPA

The Stop Online Piracy Act (SOPA) is the subject of substantial controversy in the United States, and the domain name industry is squarely in the middle of the debate. Many DNS service providers and technology developers in the industry oppose SOPA, Afilias among them. Here's why. ›››

Afilias Secures .GI, .MN, and .SC Domains with DNSSEC

Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for .GI, the country code Top Level Domain (ccTLD) for Gibraltar, .MN for Mongolia, and .SC for the Seychelles. ›››

Afilias and DotAsia Collaborate on DNSSEC Implementation for .ASIA

This week, at the 79th Internet Engineering Task Force (IETF) meeting in Beijing, China, Afilias and DotAsia jointly announced that Domain Name System Security Extensions (DNSSEC) has been enabled for the .ASIA top-level domain. ›››

Afilias Improves Security for .IN Domain With DNSSEC

Afilias today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for the .IN country code top-level domain (TLD) for the country of India, improving global security for this domain which houses over 700,000 .IN domains. ›››

Afilias Increases DNS Security in Latin America and the Caribbean with Deployment of DNSSEC

Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for five country code Top-Level-Domains (ccTLDs) in Latin America and the Caribbean region. ›››

Industry Updates

Participants – Random Selection