DNS Security

Noteworthy

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

 DNSSEC technology standards have been stable and mature since 2007, with only updates, clarifications, and new functionality added since then.

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

DNS Security / Featured Blogs

The Path Toward Increasing the Security of DNSSEC with Elliptic Curve Cryptography

How do we make DNSSEC even more secure through the use of elliptic curve cryptography? What are the advantages of algorithms based on elliptic curves? And what steps need to happen to make this a reality? What challenges lie in the way? Over the past few months we've been discussing these questions within the community of people implementing DNSSEC, with an aim of increasing both the security and performance of DNSSEC. more»

DNSSEC Workshop Streaming Live from ICANN 55 in Marrakech on Wednesday, March 9, 2016

What is the current state of DNSSEC deployment around the world and also in Africa? How can you deploy DNSSEC at a massive scale? What is the state of using elliptic curve crypto algorithms in DNSSEC? What more can be done to accelerate DNSSEC deployment? Discussion of all those questions and much more can be found in the DNSSEC Workshop streaming live out of the ICANN 55 meeting in Marrakech, Morocco, on Wednesday, March 9, from 9:00 to 15:15 WET. more»

Can We Really Blame DNSSEC for Larger-Volume DDoS attacks?

In its security bulletin, Akamai's Security Intelligence Response Team (SIRT) reported on abuse of DNS Security Extensions (DNSSEC) when mounting a volumetric reflection-amplification attack. This is not news, but I'll use this opportunity to talk a bit about whether there is a trade-off between the increased security provided by DNSSEC and increased size of DNS responses that can be leveraged by the attackers. more»

IPv6 and DNSSEC Are Respectively 20 and 19 Years Old. Same Fight and Challenges?

A few weeks ago I came across an old interview of me by ITespresso.fr from 10 years back entitled "IPv6 frees human imagination". At the time, I was talking about the contributions IPv6 was expected to make and the challenges it had to face. After reading the article again, I realized that it has become a little dusty (plus a blurred photo of the interviewee :-)). But what caught my attention the most in the interview was my assertion: "If IPv6 does not prevail in 2006, it's a safe bet that it will happen in 2007". Wow! more»

Thought Leaders Create New Trends & Solutions, Followers Just Follow - Which Are You?

Last week I asked on a post elsewhere, why we, at the MLi Group, chose to consider speakers, panelists, supporters and sponsors at our Global Summit Series (GSS) as "Thought Leaders" and "Trend Setters? Many wrote me directly offering their answers and then it dawned on me that my answer may (or may not) get appreciated by many at the ICANN community. So here is why we do. more»

Call for Participation - DNSSEC Workshop at ICANN 55 in Marrakech, Morocco

Do you have an idea for a new way to use DNSSEC or DANE to make the Internet more secure? Have you recently installed DNSSEC and have a great case study you can share of lessons learned? Do you have a new tool or service that makes DNSSEC or DANE easier to use or deploy? Do you have suggestions for how to improve DNSSEC? Or new ways to automate or simplify the user experience? If you do, and if you will be attending ICANN 55 in Marrakech, Morocco (or can get there), we are now seeking proposals for the ICANN 55 DNSSEC Workshop that will take place on Wednesday, 9 March 2016. more»

Officially Compromised Privacy

The essence of information privacy is control over disclosure. Whoever is responsible for the information is supposed to be able to decide who sees it. If a society values privacy, it needs to ensure that there are reasonable protections possible against disclosure to those not authorized by the information's owner. In the online world, an essential technical component for this assurance is encryption. If the encryption that is deployed permits disclosure to those who were not authorized by the information's owner, there should be serious concern about the degree of privacy that is meaningfully possible. more»

How DANE Strengthens Security for TLS, S/SMIME and Other Applications

The Domain Name System (DNS) offers ways to significantly strengthen the security of Internet applications via a new protocol called the DNS-based Authentication of Named Entities (DANE). One problem it helps to solve is how to easily find keys for end users and systems in a secure and scalable manner. It can also help to address well-known vulnerabilities in the public Certification Authority (CA) model. Applications today need to trust a large number of global CAs. more»

NANOG 65 Report

NANOG 65 was once again your typical NANOG meeting: a set of operators, vendors, researchers and others for 3 days, this time in Montreal in October. Here's my impressions of the meeting... The opening keynote was from Jack Waters from Level 3, which looked back over the past 25 years of the Internet, was interesting to me in its reference to the "Kingsbury Letter". more»

Thoughts on the Open Internet - Part 5: Security

Any form of public communications network necessarily exposes some information about the identity and activity of the user's of its services. The extent to which such exposure of information can be subverted and used in ways that are in stark opposition to the users' individual interests forms part of the motivation on the part of many users to reduce such open exposure to an absolute minimum. The tensions between a desire to protect the user through increasing the level of opacity of network transactions to third party surveillance, and the need to expose some level of basic information to support the functions of a network lies at the heart of many of the security issues in today's Internet. more»