DNS Security

Noteworthy

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

 DNSSEC technology standards have been stable and mature since 2007, with only updates, clarifications, and new functionality added since then.

DNS Security / News Briefs

Comcast Announces Completion of DNSSEC Deployment

Comcast, a leading ISP in the U.S., has fully deployed Domain Name System Security Extensions (DNSSEC) according to a company announcement today. Jason Livingood, Comcast's Vice President of Internet Systems writes: "As of today, over 17.8M residential customers of our Xfinity Internet service are using DNSSEC-validating DNS servers. In addition, all of the domain names owned by Comcast, numbering over 5,000, have been cryptographically signed. All of our servers, both the ones that customers use and the ones authoritative for our domain names, also fully support IPv6." more»

Internet Groups Inaugurate First of Three Cyber Security Facilities

ICANN and internet exchange firm Packet Clearing House (PCH) have joined forces with Infocomm Development Authority of Singapore (IDA) and the National University of Singapore (NUS) to launch the first of three facilities designed to boost the adoption of Domain Name System Security (DNSSEC) among country code Top-Level Domains (ccTLDs). The three new facilities, located in Singapore; Zurich, Switzerland (still under construction) and San Jose, California, provide cryptographic security using the recently deployed DNSSEC protocol. more»

Experts Urge Congress to Reject DNS Filtering from PROTECT IP Act, Serious Technical Concerns Raised

A group of leading DNS experts have released a paper detailing serious concerns over the proposed DNS filtering requirements included as part of the bill recently introduced in the U.S. Senate named Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 ("PROTECT IP Act"). The group who is urging lawmakers to reconsider enacting such a mandate into law, includes leading DNS designers, operators, and researchers, responsible for numerous RFCs for DNS, publication of many peer-reviewed academic studies related to architecture and security of the DNS, and responsible for the operation of important DNS infrastructure on the Internet. more»

Nominet Rolls Out DNSSEC for 9.4 Million .UK Domains

UK registry Nominet has enabled the deployment of domain name system security extensions (DNSSEC) for 9.4 million second level .uk domains. Completing the rollout represents over a year's work and marks an important milestone in making the web a more trusted environment for UK consumers and businesses, says Nominet, which is responsible for running the .uk internet infrastructure. more»

Citrix Case Study Features Nixu DDI

Citrix has published a case study featuring Nixu DDI run on Citrix XenServer by Unify Mobile, a Dutch Mobile Virtual Network Operator (MVNO). Having grown its customer base at an extremely rapid pace, Unify wanted to develop a network services platform that could be scaled up quickly and allow efficient management to cope with growth. more»

Garth Bruen Discussing Whois, DNSSEC and Domain Security

NameSmash has interviewed Garth Bruen, Internet security expert and creator of Knujon, on some key issues under discussion during the recent ICANN meetings in San Francisco. Topics include Whois, DNS Security Extensions (DNSSEC) and generic Top-Level Domains (gTLDs) -- issues of critical importance particularly with ICANN's expected roll-out of thousands of new gTLDs in the coming years. more»

DNSSEC Deployed for .COM, Internet's Largest Top-Level Domain

DNS Security Extensions (DNSSEC) has been deployed for .COM, Internet's largest domain extension with more than 90 million registrations. The announced was made today by VeriSign, the registry operator for .COM. more»

Most US Federal Websites More than a Year Behind Meeting DNSSEC Mandate

Carolyn Duffy Marsan reporting in Network World: "Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows. The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security -- called DNS Security Extensions or DNSSEC -- on their .gov Web sites by Dec. 31, 2009." more»

Free Toolkit Lets Organizations, Developers Test-Drive DNSSEC

Kelly Jackson Higgins reporting in DarkReading: Renowned researcher Dan Kaminsky tomorrow at Black Hat Abu Dhabi will release a free toolkit that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is simple to implement. "I've been making a lot of claims and promises about what DNSSEC is capable of and why the security industry should care. This is the argument I've been putting forth, in code form. This is for real." more»

"Practice Safe DNS" Campaign Launched to Educate on Securing DNS, Adopting DNSSEC

.ORG, The Public Interest Registry (PIR) has announced today the launch of a new campaign aimed at educating IT professionals about securing DNS and the adoption of Domain Name System Security Extensions (DNSSEC). The key purpose of the "Practice Safe DNS" website, according to PIR, is to "serve as a key resource for domain holders, registrars, web developers and IT professionals to learn how they can respectively play a increasingly relevant role in providing a safer and more secure Internet." more»

Study Finds Majority of U.S. Gov't Agencies Fail to Meet Security Mandate for DNSSEC Adoption

Majority of U.S. Federal agencies using .gov domains have not signed their DNS with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption, according to the latest report by IID (Internet Identity). IID analyzed the DNS of more than 2,900 .gov domains and has released the results in its "Q3 State of DNS Report". more»

IPv6 Posing New Security Issues

"The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. ...its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes." more»

Paul Kane Selected as One of Seven Security Key Holders

Chuck Kisselburg writes: Responsible for safe-guarding a share of the ROOT Zone's DNSSEC Recovery Key, Paul Kane, CEO of CommunityDNS, is one of 7 TCRs (Trusted Community Representative) selected from around the globe by ICANN. "In the event of a security breach -- such as a terrorist attack -- Mr Kane may be required to travel to a secure location in the US." more»

White House on the DNSSEC Deployment: "A Major Milestone on Internet Security"

Andrew McLaughlin reporting in the White House website: "Last week marked a significant advance in the security of the Internet. After years of intensive design, testing, and implementation work, the Internet's domain name system now has a new security upgrade that allows Internet service providers and end users alike to protect against an important online vulnerability: the clandestine redirecting of online communications to unwanted destinations." more»

Video: Highlights of the DNSSEC Key Signing Ceremony

ICANN video highlighting last week's historical DNSSEC key signing ceremony held in a high security data centre located in Culpeper, VA, outside of Washington, DC. "During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy." more»