Feds Urged to Deploy DNSSEC and Signing of the Root Zone

Security experts and leading vendors are urging the U.S. federal government for the rapid adoption of DNSSEC and signing of the root zone. In recent weeks, the National Telecommunications and Information Administration (NTIA) has received 30-plus comments in favor of securing DNS root zone data. These comments are from the Internet Architecture Board (IAB) and the Internet Society as well as ISPs and domain name operators such as PayPal, Akamai Technologies, NeuStar, Comcast and Afilias. more»

IETF Debates DNS Security: Fix It or Push for DNSSEC

The Internet engineering community is grappling with what to do about a serious flaw in the DNS discovered this summer, and the ongoing debate brings to mind a famous quotation from Voltaire: "The perfect is the enemy of the good." At issue is whether the group should use its resources to encourage DNS registries, ISPs and enterprises to upgrade to the ultimate DNS security solution known as DNSSEC; or whether it should tweak the DNS protocols to address the so-called 'Kaminsky bug' as an interim step. The issue is being debated at a meeting of the IETF, the Internet's leading standards body, being held here this week. more»

Despite Baffling Delays in DNSSEC, Wide-Spread Adoption Close, Says DNS Inventor Paul Mockapetris

Flaws in the current DNS system, most notably the Kaminsky Vulnerability publicly exposed in July 2008, have left Internet uses exposed to potential attacks. DNS inventor Dr. Paul Mockapetris, chief scientist and chairman of IP address infrastructure software provider Nominum, points out that the DNSSEC has been under development for 15 years and the adoption remains low with only Sweden and Puerto Rico signing up to the system. "It baffles me," Mockapetris said of the delay. "On the one hand I'm never baffled by how long standards processes take, but 15 years sounds like a lot to me. I think we've lost 10 years of progress with DNS technology due to this stupid food fight around DNSSEC. We've been at it for 10 years, I think there's five years of good work there." more»

U.S. Department of Commerce Seeking Public Comments for Deployment of DNSSEC

During a conference, "Internet of Things," in France, the U.S. Department of Commerce made the announcement that it will hold a public consultation on the different proposals to cryptographically sign the DNS root zone file, and determine who will hold the root zone trust anchor for global DNSSEC implementation, says Milton Mueller on the Internet Governance Forum blog. The blog, titled "Commerce Department asks the world to comment on its plans to retain control of the root," continues... more»

U.S. Government Begins Largest Deployment of DNSSEC

Untied States government has launched an extensive deployment of DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. The National Telecommunications and Information Administration (NTIA), the arm of the U.S. government that oversees the Internet's DNS infrastructure, has not set a deadline for DNSSEC deployment for the root servers, .com or .net. "A DNSSEC signed root zone would represent one of the most significant changes to the DNS infrastructure since it was created; therefore any changes cannot be taken lightly considering that the Internet DNS is a global infrastructure on which the global economy relies,'' according to an NTIA statement. more»

Study Assesses Potential Impact of DNSSEC on Broadband Consumers, Results Not Good

Recent collaborative test by Core Competence and Nominet have concluded that 75% of common residential and small SOHO routers and firewall devices used with broadband services do not operate with full DNSSEC compatibility "out of the box". The report presents and analyzes technical findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers. Included in its recommendations, the report suggests that as vendors apply DNSSEC and other DNS security fixes to devices, consumers should be encouraged to upgrade to the latest firmware. more»

Largest Synchronized Internet Security Effort Underway to Patch Newly Found DNS Bug

A fundamental flaw in the design of the Domain Name System (DNS) was found earlier this year by security researcher Dan Kaminsky, renowned Internet Security expert. Researchers say they will fully describe the vulnerability in 30 days, after companies that operate web sites or Internet service providers can put the patches in place. The flaw is big enough that Kaminsky and other companies involved brought in government agencies such as the Department of Homeland Security and the U.S. Computer Emergency Response Team. Until the announcement today, experts had been quietly working of coordinating a massive patch affecting all types DNS implementation. Experts emphasized during the press conference today that the flaw is within the DNS protocol and in no way specific to any particular vendor. A DNS checker tool is available on Kaminsky's website located on the top right hand corner. more»

Unbound vs. Bind: New Open Source DNS Server Released

A new open source alternative to the popular BIND domain name system (DNS) server makes its worldwide debut today with the public release of Unbound 1.0. From today's report: Released to open source developers by NLnet Labs, VeriSign, Nominet, and Kirei, Unbound is a validating, recursive, and caching DNS server designed as a high-performance alternative for BIND (Berkeley Internet Name Domain). Unbound will be supported by NLnet Labs. more»

Top-Level Domains .arpa, .org, and .uk Adopting DNSSEC

The Internet is slowly inching closer to ratcheting up the security of its Domain Name System (DNS) server architecture: The Internet Corporation for Assigned Names and Numbers (ICANN ) plans to go operational with DNSSEC later this year in one of its domains. more»

Lack of DNSSec Adoption Due to Standard's Inherent Complexity

According to a recent Dark Reading report, security experts say the overall lack of DNSSec adoption today is due to the standard's inherent complexity, which has kept it off the radar screen for most organizations. From the report: And much of the knowledge gap in DNS security is for administrative reasons, security analysts say. "DNS is a black art, and few have the skills and resources to do it well," says Robert Whiteley, Forrester Research. "And no one group consistently 'owns' it -- applications, networking, and server teams often own pieces of it, and it doesn't receive appropriate funding because it's a shared asset." more»

Vint Cerf on Internet's Key Infrastructure

BBC News is running Vint Cerf's personal view on the Internet's future. From the article: "Improving the resilience and resistance to attack of key infrastructure such as the Domain Name System (the phone book of the internet) and the routing system will be major focal points for near-term internet development. Introducing DNSSEC (security for the Domain Name System) and the digital signing of address space by the Regional Internet Registries will assume much higher priority..." more»

DHS Unprepared for DNS Security

Amid the outcry over allegations that the Department of Homeland Security (DHS) wants the security keys to the DNSSEC encryption technology slowly -- very slowly -- being adopted by internet overlord ICANN, one ICANN board member, Susan Crawford, warns the DHS is woefully unprepared for what lies ahead. more»

New IAB Chair Talks About DNS Security

Olaf Kolkman, a Dutch DNS expert, is the new chair of the Internet Architecture Board, a panel of 13 leading network engineers who provide technical oversight to the IETF, the Internet's premier standards-setting body. Kolkman says in a recent interview that DNSSEC isn't a failure, but it will take a while for the security extensions to become widely deployed. more»