July 15, 2010 marks the end of the beginning for DNSSEC, and the opening of a new chapter in the task of securing the core infrastructure on which the global Internet relies.
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.
Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".
Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point.
The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!
Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.
On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the "blackout" protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC. more»
When I see glib talk about the inevitable transition to IPv6 or DNSSEC, I have to wonder what industry people think they are working in. Let me give an example that has nothing to do with networking: storage capacity. Now if there is one constant that everyone in the computing industry can agree on it is that they expect storage media capacity to increase. more»
A misconfiguration in NASA's DNSSEC implementation on its website caused Comcast's network to block users from the site last week. NASA had incorrectly signed DNSSEC in its implementation of the new security protocol that last week, causing Comcast's newly DNSSEC-enabled service to automatically block access to the site. the day part of the Web went dark in protest of controversial anti-piracy legislation, leading some users and pundits to inaccurately speculate this was Comcast's way of protesting the government-based bills. more»
UK registry Nominet has enabled the deployment of domain name system security extensions (DNSSEC) for 9.4 million second level .uk domains. Completing the rollout represents over a year's work and marks an important milestone in making the web a more trusted environment for UK consumers and businesses, says Nominet, which is responsible for running the .uk internet infrastructure. more»
These days you can hardly talk about Internet governance without hearing about security. DNSSEC is a hot issue, ICANN's new president is a cyber-security expert, and cyberattacks seem to be a daily occurrence.
This reflects a larger shift in US policy. Like the Bush administration before it, the Obama administration is making security a high priority for the US. Only now the emphasis is on security in cyberspace. The outlines of the new policy were published in the recent US Cyberspace Policy Review, which even recommends a cyber security office directly in the White House. more»
DNS is not something that most people think about when using the Internet. Neither should they have to: the DNS is just part of the infrastructure in the same way that IP addresses are. The only time a user ought to notice the DNS is when it breaks (and it should never break). If that's true, then we ought to expect any Internet client - including web browsers - to use the very same infrastructure as everything else and for the DNS resolution mechanisms to be the ones offered by the operating system. What makes browsers different? more»
The sixth annual Counter-eCrime Operations Summit (CeCOS VI) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the shifting nature of cybercrime and the attendant challenges of managing that dynamic threatscape. more»
It has been more than 15 years in the making, but DNSSEC is finally gaining some traction: The .gov and .org top-level domains have begun to adopt the Domain Name Service (DNS) security protocol, and during the past few days, some commercial activity was associated with it. HP last week announced it will resell Secure64's DNS software, while registrar and managed DNS provider Dynamic Network Services Inc. (Dyn Inc.), announced it has gone live with DNSSEC. DNS product vendor NeuStar, meanwhile, rolled out its own DNS security appliance to protect DNS servers from getting hit with the DNS cache poisoning flaw... more»
As regular readers know, ICANN holds lengthy, in-depth discussions devoted to DNSSEC at each of its three annual meetings. The half-day session held at ICANN 43 in Costa Rica last month was particularly interesting. What became clear is that the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment. more»
According to a recent survey conducted by the European Network and Information Security Agency (ENISA), 78% of service providers in Europe have plans to deploy DNSSEC within the next 3 years. On the other hand, the study also found 22% have no plans to deploy DNSSEC in the next 3 years. more»
I first became familiar with DNSSEC around 2002 when it was a feature of the Bind9 server, which I was using to setup a new authoritative DNS platform for customers of the ISP I was working for. I looked at it briefly, decided it was too complex and not worth investigating. A couple of years later a domain of a customer got poisoned in another ISPs network. And while the DNS service we provided was working properly, the customers impression was we hadn't protected them. more»
Comcast, a leading ISP in the U.S., has fully deployed Domain Name System Security Extensions (DNSSEC) according to a company announcement today. Jason Livingood, Comcast's Vice President of Internet Systems writes: "As of today, over 17.8M residential customers of our Xfinity Internet service are using DNSSEC-validating DNS servers. In addition, all of the domain names owned by Comcast, numbering over 5,000, have been cryptographically signed. All of our servers, both the ones that customers use and the ones authoritative for our domain names, also fully support IPv6." more»
DNSSEC continues to gain momentum as network operators and domain owners watch and learn from early adopters. The learning process is made easier by efforts such as the ongoing work conducted by researchers at Sandia labs to methodically identify and categorize the kinds of problems that are occurring. more»
Internet Society recently announced the appointment of former chief technology officer of Motion Picture Association of America (MPAA). The decision has raised concerns within the Internet community as Paul Brigner had campaigned for SOPA while at MPAA as well as being on record opposing net neutrality while being an official at Verizon. more»
Only two years after signing the DNS root zone, the powerful lure of a secure global infrastructure for data distribution is starting to reveal itself. It is illustrated clearly by two proposed technical standardizations that seek to leverage secure DNS. To some degree these developments highlight the strength of DNS institutions and how they might fill gaps elsewhere in the Internet's governance. But an increasing reliance upon and concentration of power in the DNS also makes getting its global governance correct even more important. more»
