DNS Security

Noteworthy

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

 There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.

DNS Security / Recently Commented

DNSSEC - Let's Stay the Course!

I don't know about you, but I'm starting to think that DNSSEC being so hot these days is a mixed blessing. Yes, it's wonderful that after so many years there is finally broad consensus for making DNSSEC happen. But being so prominent also means the protocol is taking shots from those who don't want to make the necessary software, hardware and operational modifications needed. And DNSSEC has taken some shots from those who just want to be contrarian. more»

Most US Federal Websites More than a Year Behind Meeting DNSSEC Mandate

Carolyn Duffy Marsan reporting in Network World: "Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows. The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security -- called DNS Security Extensions or DNSSEC -- on their .gov Web sites by Dec. 31, 2009." more»

CircleID's Top 10 Posts for 2010

Looking back at 2010, here is the list of top ten most popular news, blogs, and industry news on CircleID in 2010 based on the overall readership of the posts (total views as of Jan 1, 2011). Congratulations to all the participants whose posts reached top readership and best wishes to the entire community for 2011. Happy New Year! more»

Industry Makes Rapid Progress on DNSSEC

DNSSEC is being rolled out quickly in top-level domain registries around the world, but there's still some way to go to encourage other Internet stakeholders to adopt the new security technology. That was one of the key takeaways from a day-long, comprehensive session on Domain Name System Security Extensions implementation worldwide, held during ICANN's public meeting in Cartagena, Colombia, last week. more»

The Christmas Goat, IPv6 and DNSSEC!

The city of Gävle in Sweden have a special Christmas tradition for which it is quite famous. Every year in December a giant Christmas Goat in straw is put in to place in one of the central town squares. In relation to this tradition a sub-tradition has emerged which the city is even more renowned for -- to burn down the poor Christmas Goat. This is of course an "illegal" act, but still of quite some interest! Web-cameras showing the status of the Christmas Goat have been put up by the city of Gävle, primarily in a purpose of control. However, when someone sets fire to the poor Goat, the traffic and need for bandwidth tend to go sky-high for these cams. more»

Why DNS Blacklists Don't Work for IPv6 Networks

All effective spam filters use DNS blacklists or blocklists, known as DNSBLs. They provide an efficient way to publish sets of IP addresses from which the publisher recommends that mail systems not accept mail. A well run DNSBL can be very effective; the Spamhaus lists typically catch upwards of 80% of incoming spam with a very low error rate. DNSBLs take advantage of the existing DNS infrastructure to do fast, efficient lookups. A DNS lookup typically goes through three computers... more»

Dan Kaminsky Releases Phreebird for Easy DNSSEC

Today marks another key step in DNSSEC deployment. Congrats to Dan Kaminsky, chief scientist at Doxpara and one of our partners on the Practice Safe DNS campaign, on the release of his new code Phreebird. Announced today at Black Hat Abu Dhabi, Phreebird Suite 1.0 is a free, easy-to-use toolkit that lets organizations "test-drive" DNSSEC deployment. more»

Free Toolkit Lets Organizations, Developers Test-Drive DNSSEC

Kelly Jackson Higgins reporting in DarkReading: Renowned researcher Dan Kaminsky tomorrow at Black Hat Abu Dhabi will release a free toolkit that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is simple to implement. "I've been making a lot of claims and promises about what DNSSEC is capable of and why the security industry should care. This is the argument I've been putting forth, in code form. This is for real." more»

Study Finds Majority of U.S. Gov't Agencies Fail to Meet Security Mandate for DNSSEC Adoption

Majority of U.S. Federal agencies using .gov domains have not signed their DNS with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption, according to the latest report by IID (Internet Identity). IID analyzed the DNS of more than 2,900 .gov domains and has released the results in its "Q3 State of DNS Report". more»

IPv6 Posing New Security Issues

"The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. ...its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes." more»

DNSSEC Taking Center Stage at 2010 Black Hat

On July 28th DNSSEC took center stage at the 2010 Black Hat Conference in Las Vegas. Two years ago, at the same conference, Dan Kaminsky unveiled the infamous DNS bug that many believe became a major catalyst for DNSSEC implementation. To kick things off, Jeff Moss -- founder of Black Hat -- in his opening speech called out the fact that "we have not solved any fundamental problems" and noted that the technical community must catch up. more»

White House on the DNSSEC Deployment: "A Major Milestone on Internet Security"

Andrew McLaughlin reporting in the White House website: "Last week marked a significant advance in the security of the Internet. After years of intensive design, testing, and implementation work, the Internet's domain name system now has a new security upgrade that allows Internet service providers and end users alike to protect against an important online vulnerability: the clandestine redirecting of online communications to unwanted destinations." more»

July 2010: The End of the Beginning for DNSSEC

July 15, 2010 (yesterday) marked the end of the beginning for DNSSEC, as the DNS root was cryptographically signed. For nearly two decades, security researchers, academics and Internet leaders have worked to develop and deploy Domain Name System Security Extensions (DNSSEC). DNSSEC was developed to improve the overall security of the DNS, a need which was dramatized by the discovery of the Kaminsky bug a few years ago. more»

Three Reasons Why It Makes Sense to Deploy DNSSEC Now

As many of you may know, today .ORG announced that all of its 8.5 million domains are now able to be fully DNSSEC signed - the largest set of domain names in the world so far that has access to this key security upgrade. .. The widespread publicity that the Kaminsky bug got around the world vindicated a decision made in several companies to invest time, effort and money into deploying DNSSEC. The community was split on the value of the DNSSEC effort -- many thought the deployment was quixotic, while a few others thought it was appropriate. more»

DNSSEC Becomes a Reality Today at ICANN Brussels

Attendees at the public ICANN meeting in Brussels today heard from over two dozen companies that have implemented or are planning to support DNSSEC, the next-generation standard protocol for secured domain names. It is clearer than ever before that DNSSEC is becoming a reality. more»