July 15, 2010 marks the end of the beginning for DNSSEC, and the opening of a new chapter in the task of securing the core infrastructure on which the global Internet relies.
Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point.
Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".
There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.
The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!
Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.New vulnerabilities have been discovered in multiple programs using OpenSSL, one of the standard cryptography libraries on Linux and Unix systems. Due to a common mistake in checking return values from functions checking digital signatures, several programs may be vulnerable to spoofing of digital signatures. The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. ISC has released BIND 9.6.0-P1 to fix this bug. more»
Here is a list of the most viewed news and blog postings that were featured on CircleID in 2008... Best wishes for 2009 and Happy New Year from all of us here at CircleID. more»
Security experts and leading vendors are urging the U.S. federal government for the rapid adoption of DNSSEC and signing of the root zone. In recent weeks, the National Telecommunications and Information Administration (NTIA) has received 30-plus comments in favor of securing DNS root zone data. These comments are from the Internet Architecture Board (IAB) and the Internet Society as well as ISPs and domain name operators such as PayPal, Akamai Technologies, NeuStar, Comcast and Afilias. more»
The Internet engineering community is grappling with what to do about a serious flaw in the DNS discovered this summer, and the ongoing debate brings to mind a famous quotation from Voltaire: "The perfect is the enemy of the good." At issue is whether the group should use its resources to encourage DNS registries, ISPs and enterprises to upgrade to the ultimate DNS security solution known as DNSSEC; or whether it should tweak the DNS protocols to address the so-called 'Kaminsky bug' as an interim step. The issue is being debated at a meeting of the IETF, the Internet's leading standards body, being held here this week. more»
Flaws in the current DNS system, most notably the Kaminsky Vulnerability publicly exposed in July 2008, have left Internet uses exposed to potential attacks. DNS inventor Dr. Paul Mockapetris, chief scientist and chairman of IP address infrastructure software provider Nominum, points out that the DNSSEC has been under development for 15 years and the adoption remains low with only Sweden and Puerto Rico signing up to the system. "It baffles me," Mockapetris said of the delay. "On the one hand I'm never baffled by how long standards processes take, but 15 years sounds like a lot to me. I think we've lost 10 years of progress with DNS technology due to this stupid food fight around DNSSEC. We've been at it for 10 years, I think there's five years of good work there." more»
During a conference, "Internet of Things," in France, the U.S. Department of Commerce made the announcement that it will hold a public consultation on the different proposals to cryptographically sign the DNS root zone file, and determine who will hold the root zone trust anchor for global DNSSEC implementation, says Milton Mueller on the Internet Governance Forum blog. The blog, titled "Commerce Department asks the world to comment on its plans to retain control of the root," continues... more»
In late August the White House mandated that all of the agencies in the US government have functioning DNSSEC capabilities deployed and operational by December 2009. I am suggesting here that we, as a community, commit to the same timetable. I call upon VeriSign and other registries to bring up DNSSEC support by January 2009. more»
We are at an inflection point in our lifetimes. The Internet is broken, seriously broken... Almost all of the systems currently in use on the Internet are based on implicit trust. This has to change. The problem is that these systems are so embedded in our everyday lives that it would be, sort of like, changing gravity, very difficult. more»
So I wrote earlier that I though it was good stuff when ICANN released a paper on DNS Security. Yes, I think it was good this paper was released, and yes it points out correctly how important DNSSEC is. But, now when reading it in detail, I find two things that troubles me. And it has to do with management of .ARPA. A top level domain that is used for infrastructural purposes. Like IP-addresses and E.164 numbers... more»
Today ICANN releases a paper with the title "DNSSEC @ ICANN - Signing the root zone: A way forward toward operational readiness". The paper explains in more detail than earlier documents what ICANN view on signing of the root zone is. I think the key points mentioned in this paper are true, and in general, I think this document is a good read. It is not long, and summarizes what I would call the current view is. more»
Wow. It's out. It's finally, finally out... So there's a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes...somewhere. Not where it was supposed to... I'm pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn't get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely. It was a good day... more»
Two US Government contractors and the National Institute of Science and Technology have released a white paper, "Statement of Needed Internet Capability," detailing possible alternatives and considerations for a Trust Anchor Repository (TAR) to support DNSSEC deployment. The document was released through the DNSSEC-Deployment Group this week with a request that it be circulated as widely as possible to gather feedback. A Trust Anchor Repository (TAR) refers to the concept of a DNS resource record store that contains secure entry point keys... more»
A new open source alternative to the popular BIND domain name system (DNS) server makes its worldwide debut today with the public release of Unbound 1.0. From today's report: Released to open source developers by NLnet Labs, VeriSign, Nominet, and Kirei, Unbound is a validating, recursive, and caching DNS server designed as a high-performance alternative for BIND (Berkeley Internet Name Domain). Unbound will be supported by NLnet Labs. more»
Day two of Domain Pulse 2008 last Friday (see review of day one) focused on online security issues giving the techies amongst us details of security issues, and the more policy-orientated amongst us something to chew on in a few other presentations. Kieren McCarthy, these days of ICANN, also gave some insights into the drawn out sex.com drama with more twists and turns than the average soap opera has in a year! And Randy Bush outlined the problems with IPv6. Among other presentations... more»
BBC News is running Vint Cerf's personal view on the Internet's future. From the article: "Improving the resilience and resistance to attack of key infrastructure such as the Domain Name System (the phone book of the internet) and the routing system will be major focal points for near-term internet development. Introducing DNSSEC (security for the Domain Name System) and the digital signing of address space by the Regional Internet Registries will assume much higher priority..." more»
