-
Topics
-
Blogs
-
News
-
Community
-
Industry
The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!
July 15, 2010 marks the end of the beginning for DNSSEC, and the opening of a new chapter in the task of securing the core infrastructure on which the global Internet relies.
Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".
Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point.
Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.Carolyn Duffy Marsan reporting in Network World: "Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows. The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security -- called DNS Security Extensions or DNSSEC -- on their .gov Web sites by Dec. 31, 2009." more»
Kelly Jackson Higgins reporting in DarkReading: Renowned researcher Dan Kaminsky tomorrow at Black Hat Abu Dhabi will release a free toolkit that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is simple to implement. "I've been making a lot of claims and promises about what DNSSEC is capable of and why the security industry should care. This is the argument I've been putting forth, in code form. This is for real." more»
.ORG, The Public Interest Registry (PIR) has announced today the launch of a new campaign aimed at educating IT professionals about securing DNS and the adoption of Domain Name System Security Extensions (DNSSEC). The key purpose of the "Practice Safe DNS" website, according to PIR, is to "serve as a key resource for domain holders, registrars, web developers and IT professionals to learn how they can respectively play a increasingly relevant role in providing a safer and more secure Internet." more»
Majority of U.S. Federal agencies using .gov domains have not signed their DNS with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption, according to the latest report by IID (Internet Identity). IID analyzed the DNS of more than 2,900 .gov domains and has released the results in its "Q3 State of DNS Report". more»
"The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. ...its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes." more»
Chuck Kisselburg writes: Responsible for safe-guarding a share of the ROOT Zone's DNSSEC Recovery Key, Paul Kane, CEO of CommunityDNS, is one of 7 TCRs (Trusted Community Representative) selected from around the globe by ICANN. "In the event of a security breach -- such as a terrorist attack -- Mr Kane may be required to travel to a secure location in the US." more»
Andrew McLaughlin reporting in the White House website: "Last week marked a significant advance in the security of the Internet. After years of intensive design, testing, and implementation work, the Internet's domain name system now has a new security upgrade that allows Internet service providers and end users alike to protect against an important online vulnerability: the clandestine redirecting of online communications to unwanted destinations." more»
ICANN video highlighting last week's historical DNSSEC key signing ceremony held in a high security data centre located in Culpeper, VA, outside of Washington, DC. "During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy." more»
The global deployment of Domain Name System Security Extensions (DNSSEC) will achieve an important milestone on June 16, 2010 as ICANN hosts the first production DNSSEC key ceremony in a high security data centre in Culpeper, VA, outside of Washington, DC. During the key ceremony the first cryptographic digital key used to secure the Internet root zone will be generated and securely stored. more»
Leading US ISP, Comcast, has announced today its aggressive plans to deploy DNSSEC through out its netowrk. Chris Griffiths, Manager of DNS Engineering, writes: "We plan to implement DNSSEC for the websites we manage, such as comcast.com, comcast.net and xfinity.com, by the first quarter of 2011, if not sooner. By the end of 2011, we plan to implement DNSSEC validation for all of our customers." more»
Loic Damilaville writes: "From May 2010, all the root servers on which the working of the domain name system depends, will be giving DNS responses signed by using the DNSSEC protocol. This evolution aims for increasing the confidence in DNS responses (by authenticating their origin); administrators of networks connected to Internet should be aware that this evolution could cause some service disruptions. In fact, the changes in the root server configuration could lead to a DNS disconnection risk, and therefore disruption of Internet service in certain cases..." more»
The deployment of Domain Name System Security Extensions (DNSSEC) for the root zone got an official start today with its public signing for the first time. DNSSEC for the root zone is a joint effort between ICANN and VeriSign, with support from the U.S. Department of Commerce to improve security of the Internet's naming infrastructure. Kim Davies, ICANN's Manager of Root Zone Services, says: "What happened today was the deliberately un-validatable root zone started being published on l.root-servers.net. It is anticipated this will be rolled out across the other root servers over the coming months. This phase is designed to identify any issues with the larger DNS response sizes associated with DNSSEC data." more»
According to the latest Infrastructure Security Report by Arbor Netowrks, the Internet architecture and operations is about to face a perfect storm with the convergence of issues including IPv4 to IPv6 migration, implementation of DNS Security Extensions (DNSSEC) and to 4-byte ASNs (used for inter-domain routing on the Internet). "Any one of these changes alone would constitute a significant architectural and operational challenge for network operators; considered together, they represent the greatest and potentially most disruptive set of circumstances in the history of the Internet, given its growth in importance to worldwide communications and commerce," says the report.
more»
The fifth-annual survey of domain name servers (DNS) on the public Internet -- called a "Pandora's box of both frightening and hopeful results" -- was released today by The Measurement Factory in partnership with Infoblox. more»
The Canadian Internet Registration Authority (CIRA) for the .ca country code Top-Level Domain yesterday announced the launch of a test-bed initiative for DNSSEC. CIRA’s Chief Information Officer, Norm Ritchie who made the official announcement at the SecTor security conference in Toronto, says it began the process of implementing DNSSEC in early 2009 and the implementation date is set for 2010. So far, over 15 Top-Level Domains have already deployed DNSSEC including dot-gov and dot-org. more»
