DNS Security

Noteworthy

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

 DNSSEC technology standards have been stable and mature since 2007, with only updates, clarifications, and new functionality added since then.

DNS Security / Featured Blogs

Diving Into the DNS

If you are at all interested in how the Internet's Domain Name System (DNS) works, then one of the most rewarding meetings that is dedicated to this topic is the DNS OARC workshops. I attended the spring workshop in Amsterdam in early May, and the following are my impressions from the presentations and discussion. What makes these meetings unique in the context of DNS is the way it combines operations and research, bringing together researchers, builders and maintainers of DNS software systems, and operators of DNS infrastructure services into a single room and a broad and insightful conversation. more»

Internet.nl - A New Site to Easily Test Your Use of IPv6, DNSSEC, TLS and DKIM

"Is Your Internet Up-To-Date?" Does your existing Internet connection work with IPv6 and DNSSEC? Do your web sites support IPv6, DNSSEC and TLS? Is there a quick way to find out? Earlier this month a new site, Internet.nl, was launched to make this all easy for anyone to test. All you do is visit the site at en.internet.nl (also available in Dutch) and just follow the very easy links. more»

Cyptech Needs You!

In August of last year I wrote in a blog about the importance of cryptech to wide-scale trust in the Internet. For those who don't know about it, http://cryptech.is is a project aiming to design and deploy an openly developed, trustable Hardware Security Module (HSM) which can act both as a keystore (holding your secrets and keeping them private) and as a signing engine. more»

Registration Operations is More Than Just Registering Domain Names

Perceptions can be difficult to change. People see the world through the lens of their own experiences and desires, and new ideas can be difficult to assimilate. Such is the case with the registration ecosystem. Today's operational models exist because of decisions made over time, but the assumptions that were used to support those decisions can (and should) be continuously challenged to ensure that they are addressing today's realities. Are we ready to challenge assumptions? Can the operators of registration services do things differently? more»

Join Live On Sunday - 2nd Registration Operations Workshop (ROW) In Dallas

This Sunday, March 22, 2015, the second Registration Operations Workshop (ROW) will be taking place at the Fairmont Dallas hotel from 12:30 -- 4:30 pm CDT. Discussion will include extensions to EPP, new encryption initiatives and also suggestions for ways to further automate DNS interactions between registries, registrars and DNS operators, including a need to do this for DNSSEC. more»

Is DNSSEC Worth the Effort?

A blog post has created some attention online through its extremely negative attitude to DNSSEC. Through the years, I have come in contact with many arguments against DNSSEC that suggest that anyone who is critical has not managed to or wanted to familiarize themselves with what DNSSEC is and does. We have received many questions concerning the article, so I feel it's appropriate to respond to the criticism. more»

Seeking Proposals for ICANN 53 DNSSEC Workshop on June 24, 2015, in Buenos Aires

Are you interested in sharing lessons you've learned in deploying DNSSEC or DANE with the wider community? Have you performed new measurements related to DNSSEC deployment that you want to share publicly? Do you have a new tool or service that you think people in the DNSSEC community would find interesting? Are you seeking feedback on some ideas you have to make DNSSEC better or easier to deploy? more»

Over 75% of All Top-Level Domains (TLDs) Now Signed With DNSSEC

As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 617 of the 795 top-level domains (TLDs) are now signed with DNSSEC. You can see this easily at Rick Lamb's DNSSEC statistics site...Now, granted, most of that amazing growth in the chart is because all of the "new generic TLDs" (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world. more»

CircleID's Top 10 Posts of 2014

Here we are with CircleID's annual roundup of top ten most popular posts featured during 2014 (based on overall readership). Congratulations to all the participants whose posts reached top readership and best wishes for 2015. more»

DNSSEC Adoption Part 3: A Five Day Hole in Online Security

Implementing security requires attention to detail. Integrating security services with applications where neither the security service nor the application consider their counterpart in their design sometimes make plain that a fundamental change in existing practices is needed. Existing "standard" registrar business practices require revision before the benefits of the secure infrastructure foundation DNSSEC offers can be realized. more»