Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point.
Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.
July 15, 2010 marks the end of the beginning for DNSSEC, and the opening of a new chapter in the task of securing the core infrastructure on which the global Internet relies.
The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.
Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".The Internet is slowly inching closer to ratcheting up the security of its Domain Name System (DNS) server architecture: The Internet Corporation for Assigned Names and Numbers (ICANN ) plans to go operational with DNSSEC later this year in one of its domains. more»
Earlier this year, ICANN began to seriously consider the various effects of adding DNS protocol features and new entries into the Root Zone. With the NTIA announcement that the Root Zone would be signed this year, a root scaling study team was formed to assess the scalability of the processes used to create and publish the Root Zone. Properly considered, this study should have lasted longer than the 120 days -- but the results suggest that scaling up the root zone is not without risk -- and these risks should be considered before "green-lighting" any significant changes to the root zone or its processes. I, for one, would be interested in any comments, observations, etc. (The caveats: This was, by most measures, a rush job. My spin: This is or should be a risk assessment tool.) Full report available here [PDF]. more»
At ICANN's meeting in Egypt last week, I had the opportunity to try and explain to various non-technical audiences why the Domain Name System (DNS) is vulnerable to attack, and why that is important, without needing a computer science degree to understand it. Here is the summary. more»
I have previously pointed out the shortcomings of good and user friendly support for DNSSEC in Microsoft's Server 2008 R2. During the period just after I wrote the post, I had a dialogue with Microsoft, but during the last months there has been no word at all. The reason I bring this up again is that more and more Top Level Domains (TLDs) now enable DNSSEC and also the fact that within six months the root will be signed. more»
Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point. Thanks to the combined efforts of registries around the world, the new security protocol will soon be available to the majority of domain name registrants in almost a quarter of all TLDs. more»
News broke this week about an attack in Puerto Rico that caused the local websites of Google, Microsoft, Yahoo, Coca-Cola, PayPal, Nike, Dell and Nokia to be redirected for a few hours to a phony website. The website was all black except for a taunting message from the computer hacker responsible for the attack... more»
Wow. It's out. It's finally, finally out... So there's a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes...somewhere. Not where it was supposed to... I'm pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn't get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely. It was a good day... more»
"The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. ...its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes." more»
As a strong proponent of the private right of action for all Internet endpoints and users, I've long been aware of the costs in complexity and chaos of any kind of "blocking" that deliberately keeps something from working. I saw this as a founder at MAPS back in 1997 or so when we created the first RBL to put some distributed controls in place to prevent the transmission of unwanted e-mail from low reputation Internet addresses. What we saw was that in addition to the expected costs (to spammers) and benefits (to victims) of this new technology there were unintended costs to system and network operators whose diagnostic and repair work for problems related to e-mail delivery was made more complex because of the new consideration for every trouble ticket: "was this e-mail message blocked or on purpose?" more»
You may have seen media reports a few weeks ago describing how servers behind the so-called Great Firewall of China were found delivering incorrect DNS information to users in the rest of the world, thereby redirecting users to edited Web pages. Reports indicate that this apparently occurred due to a caching error by a single Internet Service Provider. While the problem was fairly limited in scope, it could have entirely been prevented in a world where DNSSEC was fully deployed. more»
Mehmet Akcin writes: As announced today as part of RIPE meeting in Lisbon, Portugal by Joe Abley, DNS Group Director at ICANN, and Matt Larson, Vice President of DNS Research at VeriSign, in their presentation (Page 25), DNSSEC for the root zone is proposed to be fully deployed by July 1, 2010. The Draft Timeline suggests Root zone being signed by December 1, 2009 while initially staying internal to ICANN and VeriSign. The incremental roll out of the signed root would then take place from January until July 2010. more»
The Internet Governance Project has unearthed a consultancy report to the U.S. Department of Homeland Security (DHS) that makes it clear that the issue of root signing and DNSSEC key management has been recognized as a political issue within the US government for long time. more»
ICANN video highlighting last week's historical DNSSEC key signing ceremony held in a high security data centre located in Culpeper, VA, outside of Washington, DC. "During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy." more»
Day two of Domain Pulse 2008 last Friday (see review of day one) focused on online security issues giving the techies amongst us details of security issues, and the more policy-orientated amongst us something to chew on in a few other presentations. Kieren McCarthy, these days of ICANN, also gave some insights into the drawn out sex.com drama with more twists and turns than the average soap opera has in a year! And Randy Bush outlined the problems with IPv6. Among other presentations... more»
I'm interested in CircleID community's take on NeuStar's recent announcement of Cache Defender. While only effective for domains the company is authoritative for, that does cover a large number of big Internet brands and financial institutions. Why wouldn't an ISP deploy this now, while waiting for all the myriad issues involved in DNSSEC to be resolved? more»
