Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".
Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.
Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point.
The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: using Secure Socket Layer (SSL), or using DNS Security Extensions (DNSSEC). The answer is quite simple -- you should use both. The reason for this is that they solve different problems, using different methods, and operate over different data. more»
A fundamental flaw in the design of the Domain Name System (DNS) was found earlier this year by security researcher Dan Kaminsky, renowned Internet Security expert. Researchers say they will fully describe the vulnerability in 30 days, after companies that operate web sites or Internet service providers can put the patches in place. The flaw is big enough that Kaminsky and other companies involved brought in government agencies such as the Department of Homeland Security and the U.S. Computer Emergency Response Team. Until the announcement today, experts had been quietly working of coordinating a massive patch affecting all types DNS implementation. Experts emphasized during the press conference today that the flaw is within the DNS protocol and in no way specific to any particular vendor. A DNS checker tool is available on Kaminsky's website located on the top right hand corner. more»
I first became familiar with DNSSEC around 2002 when it was a feature of the Bind9 server, which I was using to setup a new authoritative DNS platform for customers of the ISP I was working for. I looked at it briefly, decided it was too complex and not worth investigating. A couple of years later a domain of a customer got poisoned in another ISPs network. And while the DNS service we provided was working properly, the customers impression was we hadn't protected them. more»
On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the "blackout" protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC. more»
The U.S. Congress' road to Stopping Online Piracy (SOPA) and PROTECT IP (PIPA) has had some twists and turns due to technical constraints imposed by the basic design of the Internet's Domain Name System (DNS). PIPA's (and SOPA's) provisions regarding advertising and payment networks appear to be well grounded in the law enforcement tradition called following the money, but other provisions having to do with regulating American Internet Service Providers (ISPs) so as to block DNS resolution for pirate or infringing web sites have been shown to be ineffectual, impractical, and sometimes unintelligible. more»
The Domain Name System Security Extensions (DNSSEC) is a suite of IETF-developed specifications designed to validate information provided by the Domain Name System (DNS). ... When the root zone was signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then. The map in this post shows the level of DNSSEC deployment in Europe. more»
Chuck Kisselburg writes: Responsible for safe-guarding a share of the ROOT Zone's DNSSEC Recovery Key, Paul Kane, CEO of CommunityDNS, is one of 7 TCRs (Trusted Community Representative) selected from around the globe by ICANN. "In the event of a security breach -- such as a terrorist attack -- Mr Kane may be required to travel to a secure location in the US." more»
It's no secret that Comcast has been leading the charge of DNSSEC deployment among ISPs. For the past couple years, Comcast has been testing and pushing for the widespread adoption of DNSSEC. In the spirit of increasing adoption, I thought I would interview the DNS gurus at Comcast to see what they've learned and what advice they would give other ISPs considering DNSSEC deployment. more»
One would think with an annual budget in excess of 60 million dollars a year and a staff of upwards of 140 (including consultants), that someone would have figured out how to prevent the organization from repeatedly shooting itself in the foot. Unfortunately not even a year of star-fish management oversight by the likes of Rod Beckstrom seems to have done the trick. Exhibit One, earlier this week on CircleID we learned about the first Root Zone DNSSEC KSK Ceremony on Wednesday 2010-06-16 in Culpeper, VA, USA. Of course given the significance of this event one would reasonably assume that ICANN might mention this somewhere on the main page of their website? more»
In January we presented the glorious history of the MIT spam conference, today we present the schedule for the first day. Opening session will be from this author, Garth Buren with a topic entitled The Internet Doomsday Book, with details be released the same day as the presentation. Followed by Dr. Robert Bruen with a review of activities since the last MIT spam conference... more»
A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but I guess VRSN does, following advice from ICANN. This has two and a half effects. The most obvious is political -- if ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign's A root server. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can't publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. more»
DNSSEC continues to gain momentum as network operators and domain owners watch and learn from early adopters. The learning process is made easier by efforts such as the ongoing work conducted by researchers at Sandia labs to methodically identify and categorize the kinds of problems that are occurring. more»
Last year the municipality of Gavle asked my company if we could help them load share the streaming pictures of the famous Christmas goat in Gävle. I accepted the invitation and set up a separate domain. My own interest in this was of course to track the usage of IPv6 and validation of DNSSEC from the visitors of the site. more»
When I see glib talk about the inevitable transition to IPv6 or DNSSEC, I have to wonder what industry people think they are working in. Let me give an example that has nothing to do with networking: storage capacity. Now if there is one constant that everyone in the computing industry can agree on it is that they expect storage media capacity to increase. more»
I consult on communication issues for Neustar, an Internet infrastructure company. As most CircleIDers know, Neustar works behind the scenes to ensure the smooth operation of many critical systems like DNS, .us and .biz, local number portability and digital rights management. One of the cool things about working for them is the chance to attend the events they sponsor. Last week Neustar held a security briefing for senior federal IT personnel focused on Cybersecurity and Domain Name System Security Extensions (DNSSEC)... more»
