Proposal for Signing the DNSSEC Root

The U.S. National Telecommunications and Information Administration (NTIA) is soliciting comments on signing the DNSSEC root. Ignore the caption on the page: this is not about DNSSEC deployment, which is already happening just fine. It's about who gets to sign the root zone. more»

Why DNS is Broken, in Plain English

At ICANN's meeting in Egypt last week, I had the opportunity to try and explain to various non-technical audiences why the Domain Name System (DNS) is vulnerable to attack, and why that is important, without needing a computer science degree to understand it. Here is the summary. more»

U.S. Government Begins Largest Deployment of DNSSEC

Untied States government has launched an extensive deployment of DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. The National Telecommunications and Information Administration (NTIA), the arm of the U.S. government that oversees the Internet's DNS infrastructure, has not set a deadline for DNSSEC deployment for the root servers, .com or .net. "A DNSSEC signed root zone would represent one of the most significant changes to the DNS infrastructure since it was created; therefore any changes cannot be taken lightly considering that the Internet DNS is a global infrastructure on which the global economy relies,'' according to an NTIA statement. more»

Study Assesses Potential Impact of DNSSEC on Broadband Consumers, Results Not Good

Recent collaborative test by Core Competence and Nominet have concluded that 75% of common residential and small SOHO routers and firewall devices used with broadband services do not operate with full DNSSEC compatibility "out of the box". The report presents and analyzes technical findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers. Included in its recommendations, the report suggests that as vendors apply DNSSEC and other DNS security fixes to devices, consumers should be encouraged to upgrade to the latest firmware. more»

Largest Synchronized Internet Security Effort Underway to Patch Newly Found DNS Bug

A fundamental flaw in the design of the Domain Name System (DNS) was found earlier this year by security researcher Dan Kaminsky, renowned Internet Security expert. Researchers say they will fully describe the vulnerability in 30 days, after companies that operate web sites or Internet service providers can put the patches in place. The flaw is big enough that Kaminsky and other companies involved brought in government agencies such as the Department of Homeland Security and the U.S. Computer Emergency Response Team. Until the announcement today, experts had been quietly working of coordinating a massive patch affecting all types DNS implementation. Experts emphasized during the press conference today that the flaw is within the DNS protocol and in no way specific to any particular vendor. A DNS checker tool is available on Kaminsky's website located on the top right hand corner. more»

DNSSEC Adds Value?

The recent news that .uk, .arpa and .org may sign their zones sometime this year is indeed good news. Each domain is highly significant... As the DNSSEC registry infrastructure moves inexorably forward -- primarily driven by top level pressure and considerations of National Interest -- it now behoves us to clearly articulate the benefits of DNSSEC to domain owners and registrars. In particular I want to focus on the vast majority of us to whom cold, hard cash is important and parting with it requires as a minimum tangible benefits or, in extreme cases, surgical intervention. more»

Top-Level Domains .arpa, .org, and .uk Adopting DNSSEC

The Internet is slowly inching closer to ratcheting up the security of its Domain Name System (DNS) server architecture: The Internet Corporation for Assigned Names and Numbers (ICANN ) plans to go operational with DNSSEC later this year in one of its domains. more»

Domain Name Price Jump: Moore's Law or Parkinson's Laws?

As expected, VeriSign raised the price of domain names, effective in October. New prices wholesale prices (to the registrar) for .com domain names are going from $6.42 to $6.86, while .net will increase from $3.85 to $4.23. This news came a few days ago in a letter to registrars. (Hint to consumers: renew your domains now.) ...So, basically, many if not most of VeriSign's registry costs have been falling at an exponential rate. Hard disk storage, computing performance, bandwidth, RAM storage... yet the cost is going up. How is this justified? more»

Homeland Security Department Was Warned About DNSSEC Key Ownership and Trust Issues

The Internet Governance Project has unearthed a consultancy report to the U.S. Department of Homeland Security (DHS) that makes it clear that the issue of root signing and DNSSEC key management has been recognized as a political issue within the US government for long time. more»

DNSSEC: Once More, With Feeling!

After looking at the state of DNSSEC in some detail a little over a year ago in 2006, I've been intending to come back to DNSSEC to see if anything has changed, for better or worse, in the intervening period... To recap, DNSSEC is an approach to adding some "security" into the DNS. The underlying motivation here is that the DNS represents a rather obvious gaping hole in the overall security picture of the Internet, although it is by no means the only rather significant vulnerability in the entire system. One of the more effective methods of a convert attack in this space is to attack at the level of the DNS by inserting fake responses in place of the actual DNS response. more»

Lack of DNSSec Adoption Due to Standard's Inherent Complexity

According to a recent Dark Reading report, security experts say the overall lack of DNSSec adoption today is due to the standard's inherent complexity, which has kept it off the radar screen for most organizations. From the report: And much of the knowledge gap in DNS security is for administrative reasons, security analysts say. "DNS is a black art, and few have the skills and resources to do it well," says Robert Whiteley, Forrester Research. "And no one group consistently 'owns' it -- applications, networking, and server teams often own pieces of it, and it doesn't receive appropriate funding because it's a shared asset." more»

Developing Internet Standards: How Can the Engineering Community and the Users Meet?

There is currently a discussion going on between Milton Mueller and Patrik Fältström over the deployment of DNSSEC on the root servers. I think the discussion exemplifies the difficult relation between those who develop standards and those who use them. On the one hand, Milton points out that the way the signing of the root zone will be done will have a great influence on the subjective trust people and nation states will have towards the system. On the other hand, Patrik states that "DNSSEC is just digital signatures on records in this database". Both are right, of course, but they do not speak the same language... more»

The Case Against DNSSEC

I was talking to my good friend Verner Entwhistle the other day when he suddenly turned to me and said "I don't think we need DNSSEC". Sharp intake of breath. Transpired after a long and involved discussion his case boiled down to four points: 1. SSL provides known and trusted security, DNSSEC is superfluous, 2. DNSSEC is complex and potentially prone to errors, 3. DNSSEC makes DoS attacks worse, 4. DNSSEC does not solve the last mile problem. Let's take them one at a time... more»

Defending Networks Against DNS Rebinding Attacks

DNS rebinding attacks are real and can be carried out in the real world. They can penetrate through browsers, Java, Flash, Adobe and can have serious implications for Web 2.0-type applications that pack more code and action onto the client. Such an attack can convert browsers into open network proxies and get around firewalls to access internal documents and services. It requires less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers. Everyone is at risk and relying on network firewalls is simply not enough. In a paper released by Stanford Security Lab, "Protecting Browsers from DNS Rebinding Attacks," authors Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh provide ample detail about the nature of this attack as well as strong defenses that can be put in place in order to help protect modern browsers. more»

The Inextricable Issue of Internationalized Domain Names

ICANN has embarked on the IDN boat at the same time it wants to introduce DNSSEC and new gTLDs. This promises lots of fun. Or grey hair, depending how you look at it. First is the issue of country code IDNs. The ISO-3166 table, based on two letter codes, is a western convention. Some cultures do not use abbreviations or acronyms. Some do not use a character-based alphabet, but a syllabic one. Hence, the next logical step would be to represent the full country name in local script, rather than a transliteration of the ISO string... Imagine the case of India, where there are 1.652 languages, of which 24 are spoken by more than one million people... more»