Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.
The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.
July 15, 2010 marks the end of the beginning for DNSSEC, and the opening of a new chapter in the task of securing the core infrastructure on which the global Internet relies.
Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".
Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point.Untied States government has launched an extensive deployment of DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. The National Telecommunications and Information Administration (NTIA), the arm of the U.S. government that oversees the Internet's DNS infrastructure, has not set a deadline for DNSSEC deployment for the root servers, .com or .net. "A DNSSEC signed root zone would represent one of the most significant changes to the DNS infrastructure since it was created; therefore any changes cannot be taken lightly considering that the Internet DNS is a global infrastructure on which the global economy relies,'' according to an NTIA statement. more»
Recent collaborative test by Core Competence and Nominet have concluded that 75% of common residential and small SOHO routers and firewall devices used with broadband services do not operate with full DNSSEC compatibility "out of the box". The report presents and analyzes technical findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers. Included in its recommendations, the report suggests that as vendors apply DNSSEC and other DNS security fixes to devices, consumers should be encouraged to upgrade to the latest firmware. more»
A fundamental flaw in the design of the Domain Name System (DNS) was found earlier this year by security researcher Dan Kaminsky, renowned Internet Security expert. Researchers say they will fully describe the vulnerability in 30 days, after companies that operate web sites or Internet service providers can put the patches in place. The flaw is big enough that Kaminsky and other companies involved brought in government agencies such as the Department of Homeland Security and the U.S. Computer Emergency Response Team. Until the announcement today, experts had been quietly working of coordinating a massive patch affecting all types DNS implementation. Experts emphasized during the press conference today that the flaw is within the DNS protocol and in no way specific to any particular vendor. A DNS checker tool is available on Kaminsky's website located on the top right hand corner. more»
A new open source alternative to the popular BIND domain name system (DNS) server makes its worldwide debut today with the public release of Unbound 1.0. From today's report: Released to open source developers by NLnet Labs, VeriSign, Nominet, and Kirei, Unbound is a validating, recursive, and caching DNS server designed as a high-performance alternative for BIND (Berkeley Internet Name Domain). Unbound will be supported by NLnet Labs. more»
The Internet is slowly inching closer to ratcheting up the security of its Domain Name System (DNS) server architecture: The Internet Corporation for Assigned Names and Numbers (ICANN ) plans to go operational with DNSSEC later this year in one of its domains. more»
According to a recent Dark Reading report, security experts say the overall lack of DNSSec adoption today is due to the standard's inherent complexity, which has kept it off the radar screen for most organizations. From the report: And much of the knowledge gap in DNS security is for administrative reasons, security analysts say. "DNS is a black art, and few have the skills and resources to do it well," says Robert Whiteley, Forrester Research. "And no one group consistently 'owns' it -- applications, networking, and server teams often own pieces of it, and it doesn't receive appropriate funding because it's a shared asset." more»
BBC News is running Vint Cerf's personal view on the Internet's future. From the article: "Improving the resilience and resistance to attack of key infrastructure such as the Domain Name System (the phone book of the internet) and the routing system will be major focal points for near-term internet development. Introducing DNSSEC (security for the Domain Name System) and the digital signing of address space by the Regional Internet Registries will assume much higher priority..." more»
Amid the outcry over allegations that the Department of Homeland Security (DHS) wants the security keys to the DNSSEC encryption technology slowly -- very slowly -- being adopted by internet overlord ICANN, one ICANN board member, Susan Crawford, warns the DHS is woefully unprepared for what lies ahead. more»
Olaf Kolkman, a Dutch DNS expert, is the new chair of the Internet Architecture Board, a panel of 13 leading network engineers who provide technical oversight to the IETF, the Internet's premier standards-setting body. Kolkman says in a recent interview that DNSSEC isn't a failure, but it will take a while for the security extensions to become widely deployed. more»
