-
Blogs
-
News
-
Industry
-
Community
-
Topics
Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.Leading US ISP, Comcast, has announced today its aggressive plans to deploy DNSSEC through out its netowrk. Chris Griffiths, Manager of DNS Engineering, writes: "We plan to implement DNSSEC for the websites we manage, such as comcast.com, comcast.net and xfinity.com, by the first quarter of 2011, if not sooner. By the end of 2011, we plan to implement DNSSEC validation for all of our customers." more»
Loic Damilaville writes: "From May 2010, all the root servers on which the working of the domain name system depends, will be giving DNS responses signed by using the DNSSEC protocol. This evolution aims for increasing the confidence in DNS responses (by authenticating their origin); administrators of networks connected to Internet should be aware that this evolution could cause some service disruptions. In fact, the changes in the root server configuration could lead to a DNS disconnection risk, and therefore disruption of Internet service in certain cases..." more»
The deployment of Domain Name System Security Extensions (DNSSEC) for the root zone got an official start today with its public signing for the first time. DNSSEC for the root zone is a joint effort between ICANN and VeriSign, with support from the U.S. Department of Commerce to improve security of the Internet's naming infrastructure. Kim Davies, ICANN's Manager of Root Zone Services, says: "What happened today was the deliberately un-validatable root zone started being published on l.root-servers.net. It is anticipated this will be rolled out across the other root servers over the coming months. This phase is designed to identify any issues with the larger DNS response sizes associated with DNSSEC data." more»
According to the latest Infrastructure Security Report by Arbor Netowrks, the Internet architecture and operations is about to face a perfect storm with the convergence of issues including IPv4 to IPv6 migration, implementation of DNS Security Extensions (DNSSEC) and to 4-byte ASNs (used for inter-domain routing on the Internet). "Any one of these changes alone would constitute a significant architectural and operational challenge for network operators; considered together, they represent the greatest and potentially most disruptive set of circumstances in the history of the Internet, given its growth in importance to worldwide communications and commerce," says the report.
more»
The fifth-annual survey of domain name servers (DNS) on the public Internet -- called a "Pandora's box of both frightening and hopeful results" -- was released today by The Measurement Factory in partnership with Infoblox. more»
The Canadian Internet Registration Authority (CIRA) for the .ca country code Top-Level Domain yesterday announced the launch of a test-bed initiative for DNSSEC. CIRA’s Chief Information Officer, Norm Ritchie who made the official announcement at the SecTor security conference in Toronto, says it began the process of implementing DNSSEC in early 2009 and the implementation date is set for 2010. So far, over 15 Top-Level Domains have already deployed DNSSEC including dot-gov and dot-org. more»
Mehmet Akcin writes: As announced today as part of RIPE meeting in Lisbon, Portugal by Joe Abley, DNS Group Director at ICANN, and Matt Larson, Vice President of DNS Research at VeriSign, in their presentation (Page 25), DNSSEC for the root zone is proposed to be fully deployed by July 1, 2010. The Draft Timeline suggests Root zone being signed by December 1, 2009 while initially staying internal to ICANN and VeriSign. The incremental roll out of the signed root would then take place from January until July 2010. more»
Earlier this year, ICANN began to seriously consider the various effects of adding DNS protocol features and new entries into the Root Zone. With the NTIA announcement that the Root Zone would be signed this year, a root scaling study team was formed to assess the scalability of the processes used to create and publish the Root Zone. Properly considered, this study should have lasted longer than the 120 days -- but the results suggest that scaling up the root zone is not without risk -- and these risks should be considered before "green-lighting" any significant changes to the root zone or its processes. I, for one, would be interested in any comments, observations, etc. (The caveats: This was, by most measures, a rush job. My spin: This is or should be a risk assessment tool.) Full report available here [PDF]. more»
Mehmet Akcin writes: "EDUCAUSE and VeriSign have announced the initiation of a project to enhance Internet reliability and stability. By the end of March 2010, the project will deploy a security system known as Domain Name Security Extensions (DNSSEC) within the .edu portion of the Internet, which EDUCAUSE manages under a cooperative agreement with the U.S. Department of Commerce. When the project is completed, institutions whose domain names end in .edu will be able to incorporate a digital signature into those names to limit a variety of security vulnerabilities." more»
Internet Systems Consortium (ISC) has announced that it is working with Afilias and Neustar, Inc. in the effort to support ISC's DNSSEC Look-aside Validation (DLV) registry by providing secondary DNS service for the DLV zone. DLV is a mechanism that provides many of the benefits of DNSSEC (short for DNS Security Extensions), enabling domain holders to secure their domain information today in advance of broader DNSSEC deployment and adoption. "Adding Afilias and Neustar as secondary DNS providers for the DLV zone demonstrates our collective understanding that DLV is a vitally important production service bigger than any single provider in the same way that there are 13 root server operators, not just one." more»
A team of developers including .SE (The Internet Infrastructure Foundation), LNetLabs, Nominet, Kirei, SURFnet, SIDN and John Dickinson have come together to create open source software, called OpenDNSSEC, to make it easier to deploy DNSSEC. Patrik Wallström, responsible for DNSSEC at .SE comments: "In order to spread the use of DNSSEC to an increased number of domain names, the management surrounding this technology must be simplified. Together with a number of collaborators, we're developing OpenDNSSEC. Leveraging our deployment experience, we will produce a well-packaged, easy-to-use and flexible DNSSEC tool that eliminates all manual procedures. Those in charge of name servers no longer need detailed knowledge about the protocol in order to use it." more»
A message from ICANN's new President and CEO, Rod Beckstrom, was released today calling the organization the most complex he has ever come across. "What I find impressive is that, despite the many competing pressures in this environment, ICANN has been able to fulfill its core functions in the 11 years since its inception, and has emerged as a strong, stakeholder driven group," says Beckstrom. As part of his vision for ICANN, Beckstrom has highlighted 4 areas of primary focus including Internationalization of Domain Names, efforts in the deployment of DNSSEC, and the introduction of new generic Top-Level Domains. more»
It has been more than 15 years in the making, but DNSSEC is finally gaining some traction: The .gov and .org top-level domains have begun to adopt the Domain Name Service (DNS) security protocol, and during the past few days, some commercial activity was associated with it. HP last week announced it will resell Secure64's DNS software, while registrar and managed DNS provider Dynamic Network Services Inc. (Dyn Inc.), announced it has gone live with DNSSEC. DNS product vendor NeuStar, meanwhile, rolled out its own DNS security appliance to protect DNS servers from getting hit with the DNS cache poisoning flaw... more»
ICANN announced today that it will work with the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST) and VeriSign on the goal of an operationally Signed Root Zone as soon as feasible in 2009. "We've been working towards a signed root for more than three years. In fact, ICANN has operated a root zone signing test bed for more than two years. So ICANN is aware of the urgency around signing the root to enhance stability and security" Paul Twomey, President and CEO of ICANN said. more»
According to a recent survey conducted by the European Network and Information Security Agency (ENISA), 78% of service providers in Europe have plans to deploy DNSSEC within the next 3 years. On the other hand, the study also found 22% have no plans to deploy DNSSEC in the next 3 years. more»
Copyright © 2002-2010 CircleID.
Iomemo Inc.
All rights reserved unless where otherwise noted.
