DNS Security

Noteworthy

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

 DNSSEC technology standards have been stable and mature since 2007, with only updates, clarifications, and new functionality added since then.

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

DNS Security / Featured Blogs

Increasing DNSSEC Adoption - What if We Put DNSSEC Provision in the Hands of Registries?

There has been a lot of criticism about the worthiness of DNSSEC. Low adoption rates and resistance and reluctance by Registrars to take on the perceived burden of signing domains and passing-on cryptographic material are at the crux of the criticism. I'm a believer in DNSSEC as a unique and worthwhile security protocol and as a new platform for innovation. It's the reason I've long advocated for and continue to work toward a new model of DNSSEC provisioning. more»

DNSSEC Successes, Statistics and Innovation Streaming Live from ICANN 53 on 24 June 2015

Where has DNSSEC been successful? What are some current statistics about DNSSEC deployment? What are examples of innovations that are happening with DNSSEC and DANE? All of these questions will be discussed at the DNSSEC Workshop at ICANN 53 in Buenos Aires happening on Wednesday, June 24, 2015, from 09:00 – 15:15 Argentina time (UTC-3). You can watch and listen to the session live. more»

DNSSEC - Failure to Launch

DNSSEC is a mechanism where clients can verify the authenticity of the answers they receive from servers. There are two sides here. The server must supply signed answers, and the client must verify the signatures on those answers. The validation/verification side is widely implemented, but there are very few signed zones... However, if no one signs their zones, those validating resolvers don't have many signatures to check. more»

Registry Lock - or EPP With Two Factor Authentication

For the last couple of years, the most common attack vector against the DNS system is the attack against the registrar. Either the attack is on the software itself using weaknesses in the code that could inject DNS changes into the TLD registry, or social engineering the registrar support systems and the attacker receives credentials that in turn allows the attacker to perform malicious changes in DNS. DNSSEC is the common security mechanism that protects the DNS protocol, but by using the registrar attack, any changes will result in a proper working DNS delegation. more»

The Internet of Things: Solving Security Challenges from the Fringe to the Core

News flash: to help fight California's drought, Samsung is offering a $100,000 prize to the innovator who creates "the most effective use of IoT and ARTIK [Samsung's IoT platform] technology for reducing water consumption by individuals or municipalities." When the average reader of this news headline needs no explanation of what "IoT" means or what this contest is about, we know IoT, or the Internet of Things, is for real. There are already an estimated 25 billion connected devices around the world, according to expert estimates. more»

The Longevity of the Three-Napkin Protocol

It is not often I go out to my driveway to pick up the Washington Post -- yes, I still enjoy reading a real physical paper, perhaps a sign of age -- and the headline is NOT about how the (insert DC sports team here) lost last night but is instead is about an IT technology. That technology is the Border Gateway Protocol (BGP), a major Internet protocol that has been around for more than a quarter century, before the Internet was commercialized and before most people even knew what the Internet was. more»

Diving Into the DNS

If you are at all interested in how the Internet's Domain Name System (DNS) works, then one of the most rewarding meetings that is dedicated to this topic is the DNS OARC workshops. I attended the spring workshop in Amsterdam in early May, and the following are my impressions from the presentations and discussion. What makes these meetings unique in the context of DNS is the way it combines operations and research, bringing together researchers, builders and maintainers of DNS software systems, and operators of DNS infrastructure services into a single room and a broad and insightful conversation. more»

Internet.nl - A New Site to Easily Test Your Use of IPv6, DNSSEC, TLS and DKIM

"Is Your Internet Up-To-Date?" Does your existing Internet connection work with IPv6 and DNSSEC? Do your web sites support IPv6, DNSSEC and TLS? Is there a quick way to find out? Earlier this month a new site, Internet.nl, was launched to make this all easy for anyone to test. All you do is visit the site at en.internet.nl (also available in Dutch) and just follow the very easy links. more»

Cyptech Needs You!

In August of last year I wrote in a blog about the importance of cryptech to wide-scale trust in the Internet. For those who don't know about it, http://cryptech.is is a project aiming to design and deploy an openly developed, trustable Hardware Security Module (HSM) which can act both as a keystore (holding your secrets and keeping them private) and as a signing engine. more»

Registration Operations is More Than Just Registering Domain Names

Perceptions can be difficult to change. People see the world through the lens of their own experiences and desires, and new ideas can be difficult to assimilate. Such is the case with the registration ecosystem. Today's operational models exist because of decisions made over time, but the assumptions that were used to support those decisions can (and should) be continuously challenged to ensure that they are addressing today's realities. Are we ready to challenge assumptions? Can the operators of registration services do things differently? more»