DNS / Featured Blogs

Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys

In my last article, I described efforts underway to standardize new cryptographic algorithms that are designed to be less vulnerable to potential future advances in quantum computing. I also reviewed operational challenges to be considered when adding new algorithms to the DNS Security Extensions (DNSSEC). In this post, I'll look at hash-based signatures, a family of post-quantum algorithms that could be a good match for DNSSEC from the perspective of infrastructure stability. more

Securing the DNS in a Post-Quantum World: New DNSSEC Algorithms on the Horizon

One of the "key" questions cryptographers have been asking for the past decade or more is what to do about the potential future development of a large-scale quantum computer. If theory holds, a quantum computer could break established public-key algorithms including RSA and elliptic curve cryptography (ECC), building on Peter Shor's groundbreaking result from 1994. more

WHOIS Record Redaction and GDPR: What's the Evolution Post-2018?

We all use the Internet daily. Practically every element of our reality has its equal in the virtual realm. Friends turn into social media contacts, retail establishments to e-commerce shops, and so on. We can't deny that the way the Internet was designed, to what it has become, differs much. One example that we'll tackle in this post is the seeming loss of connection between domains and their distinguishable owners. more

Verisign Outreach Program Remediates Billions of Name Collision Queries

A name collision occurs when a user attempts to resolve a domain in one namespace, but it unexpectedly resolves in a different namespace. Name collision issues in the public global Domain Name System (DNS) cause billions of unnecessary and potentially unsafe DNS queries every day. A targeted outreach program that Verisign started in March 2020 has remediated one billion queries per day to the A and J root name servers, via 46 collision strings. more

Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries

In my last post, I looked at what happens when a DNS query renders a "negative" response -- i.e., when a domain name doesn't exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries. The concepts I discuss below are topics we've studied in our long-term research program as we evaluate new technologies. more

Cryptographic Tools for Non-Existence in the Domain Name System: NSEC and NSEC3

In my previous post, I described the first broad scale deployment of cryptography in the DNS, known as the Domain Name System Security Extensions (DNSSEC). I described how a name server can enable a requester to validate the correctness of a "positive" response to a query -- when a queried domain name exists -- by adding a digital signature to the DNS response returned. more

The Domain Name System: A Cryptographer's Perspective

As one of the earliest protocols in the internet, the DNS emerged in an era in which today's global network was still an experiment. Security was not a primary consideration then, and the design of the DNS, like other parts of the internet of the day, did not have cryptography built in. Today, cryptography is part of almost every protocol, including the DNS. And from a cryptographer's perspective, as I described in my talk at last year's International Cryptographic Module Conference (ICMC20), there's so much more to the story than just encryption. more

.com Is A Clear and Present Danger to Online Safety

"The Internet is the real world now." This assessment was offered by Protocol, a technology industry news site, following the very real violence on Capitol Hill during the counting of the electoral college votes that officially determines the next president of the United States. The media outlet went on to say that, "[t]he only difference is, you can do more things and reach more people online -- with truth and with lies -- than you can in the real world." more

2020 Domain Name Year in Review

2020 - a year like no other. The impact of COVID on the domain name industry was felt far and wide as ICANN meetings were held virtually, travel was cancelled, TLD launches were delayed, the topic of domain name abuse was front and center, and we all tried to navigate a "new" normal. Unlike many sectors, the domain name industry was fortunate and, in many ways, survived 2020 unscathed. Much of our industry was able to continue working from home after an initial period of adjustment. more

NTIA Objects to Planned o.com Auction

According to media sources, the National Telecommunications and Information Administration (NTIA) wrote to Verisign last Friday, objecting to the company's plan to auction o.com to the highest bidder. The planned release for o.com - described by the Second Amendment to the .com Registry Agreement and intended as a pilot for the remaining reserved single-character .com names - involved an opaque consideration process that ignored community input and set aside hard-won trademark protections developed by stakeholders in order to maximize dollars earmarked for an unidentified cadre of non-profit organizations. more

Industry Updates

Verisign Q4 2020 Domain Name Industry Brief: 366.3 Million Domain Name Registrations in Q4 2020

A Look at Recent Attacks on K-12 Distance Learning Providers Using Domain Intelligence

SolarWinds Cyber Intel Analysis Part 2: A Look at Additional CISA-Published IoCs

Blind Eagle Targeted Attack: Using Threat Intelligence Tools for IoC Analysis and Expansion

Cyber Threat Intel Analysis and Expansion of SolarWinds Identified IoCs

Threat Intel Expansion on Cosmic Lynx BEC Campaign's Recorded IoCs

QAnon and 8Chan Digital Footprint Analysis and Investigation Expansion

Attack Surface Discovery: A Review of FINRA-lookalike Domain and Linked IoCs

A Brief OSINT Analysis of Charming Kitten IoCs

MarkMonitor Releases New gTLD Quarterly Report for Q4 2020

Revisiting APT1 IoCs with DNS and Subdomain Intelligence

Dark Caracal: Undisclosed Targeted Attack IoCs Can Pose Risks

Verisign Q3 2020 Domain Name Industry Brief: Internet Grows to 370.7M Domain Name Registrations

What Subdomains Lookup Revealed About Thousands of Microsoft-Related Subdomains

10 Common Digital Threats to Businesses