DNS Security |
Sponsored by |
|
I've been incredibly lucky in my time at Neustar to lead both the exceptional Registry and Security teams. While these divisions handle their own unique product and service offerings, it's clear that they have some obvious crossovers in their risks, opportunities and challenges. Having been closely involved in the strategy of both these teams, it strikes me that there is more we as Registry Operators and service providers can and should be doing to align the world of cybersecurity with that of domain names. more
March 22, 2019, saw the completion of the final important step in the Key Signing Key (KSK) rollover - a process which began about a year and half ago. What may be less well known is that post rollover, and until just a couple days ago, Verisign was receiving a dramatically increasing number of root DNSKEY queries, to the tune of 75 times higher than previously observed, and accounting for ~7 percent of all transactions at the root servers we operate. more
Because the speed of DNS is so important to the performance of any connection on the 'net, a lot of thought goes into making DNS servers fast, including optimized software that can respond to queries in milliseconds, and connecting DNS servers to the 'net through high bandwidth links. To set the stage for massive DDoS attacks based in the DNS system, add a third point: DNS responses tend to be much larger than DNS queries. more
With the latest "DNSpionage" attack, ICANN astutely prompted domain name holders to fully deploy DNSSEC on their names. Afilias absolutely supports this and encourages the same. In this post, I remind you of why DNSSEC is important and our continued role. Afilias has a long history in the development and advocacy of DNSSEC. In 2007, we partnered with Public Interest Registry to help found dnssec-deployment.org. more
Recently, the DNS has come under an extensive attack. The so-called "DNSpionage" campaigns have brought to light the myriad methods used to infiltrate networks. These attacks employed phishing, system hopping via key exfiltration, and software zero day exploits, illustrating that many secure networks may not be fully protected. more
Will you be at the ICANN 64 meeting in March 2019 in Kobe, Japan? If so (or if you can get to Kobe), would you be interested in speaking about any work you have done (or are doing) with DNSSEC, DANE or other DNS security and privacy technologies? If you are interested, please send a brief (1-2 sentence) description of your proposed presentation before 07 February 2019. more
It is once again time for our annual review of posts that received the most attention on CircleID during the past year. Congratulations to all the 2018 participants for sharing their thoughts and making a difference in the industry. more
ICANN just recently performed a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) Rollover. The recent KSK Rollover that took place on the 11th October 2018. The KSK Rollover has been successful and congratulations are in order. The Root Zone DNSSEC Key Signing Key "KSK" is the top most cryptographic key in the DNSSEC hierarchy. The KSK is a cryptographic public-private key pair. more
Are you ready? Are your systems prepared so that DNS will keep functioning for your networks? One week from today, on Thursday, October 11, 2018, at 16:00 UTC ICANN will change the cryptographic key that is at the center of the DNS security system - what we call DNSSEC. The current key has been in place since July 15, 2010. This is a long-planned replacement. more
In a little over two weeks, precisely in 17 days (on 11 October 2018 at 16:00 UTC), ICANN will roll the Domain Name System Security Extensions (DNSSEC) root Key Signing Key (KSK). If you are a Domain Name System (DNS) and DNSSEC expert already engaged globally on the topic, you are certainly both well aware and ready for the rollover. This article is probably not for you! If however, you are out there focused on your day to day running or managing a DNS infrastructure... more
DNS-over-TLS has recently become a welcome addition to the range of security protocols supported by DNS. It joins TSIG, SIG(0) and DNSSEC to add privacy, and, in the absence of validating stub resolvers, necessary data integrity on the link between a full-service resolver and the users' stub resolver. (The authenticated source feature of TLS may also offer some additional benefits for those of a nervous disposition.) Good stuff. What is not good stuff is... more
The DNS system is, unfortunately, rife with holes like Swiss Cheese; man-in-the-middle attacks can easily negate the operation of TLS and website security. To resolve these problems, the IETF and the DNS community standardized a set of cryptographic extensions to cryptographically sign all DNS records... Now that these standards are in place, how heavily is DNSSEC being used in the wild? How much safer are we from man-in-the-middle attacks against TLS and other transport encryption mechanisms? more
Do you have a great idea about DNSSEC or DANE that you'd like to share with the wider community? If so, and you're planning to be in Barcelona, Spain for ICANN63 in October 2018, submit a proposal to present your idea at the DNSSEC Workshop! Send a brief (1-2 sentence) description of your proposed presentation to dnssec-barcelona@isoc.org by Friday, 07 September 2018. more
The APNIC Blog has recently published a very interesting article by Willem Toorop of NLnet Labs on the relationship between Security Extensions for the DNS (DNSSEC) and DNS over Transport Layer Security. Willem is probably being deliberately provocative in claiming that "DoT could realistically become a viable replacement for DNSSEC." If provoking a reaction was indeed Willem's intention, then he has succeeded for me, as it has prompted this reaction. more
The period around the end of the nineteenth century and the start of the twentieth century saw a number of phenomenal advances in the physical sciences. There was J.J. Thompson's discovery of the electron in 1897, Max Planck's quantum hypothesis in 1900, Einstein's ground-breaking papers on Brownian motion, the photoelectric effect and special relativity in 1905, and Ernest Rutherford's study of the nucleus published in 1911 to mention but a few of the fundamental discoveries of the time. more
Afilias today announced that it has promoted Ram Mohan to the newly created position of Chief Operating Officer, responsible for most of the day-to-day operations of Afilias and its global subsidiaries. more
IDG's Computerworld announces Ram Mohan, Afilias' executive vice president and chief technology officer, as a 2016 Premier 100 Technology Leaders honoree. This year's Premier 100 spotlights 100 leaders of companies for their exceptional technology leadership and innovative approaches to business challenges. more
IONs are part of the Internet Society's Deploy360 Programme, which aims to foster the global adoption of key Internet technology standards such as IPv6, DNSSEC, and secure routing protocols. more
We're excited to bring a new top-level domain into the Afilias family and help grow the use of it. I also think it shows that the top-level domain business is a unique one -- and it's not one to be entered into lightly. more
The Stop Online Piracy Act (SOPA) is the subject of substantial controversy in the United States, and the domain name industry is squarely in the middle of the debate. Many DNS service providers and technology developers in the industry oppose SOPA, Afilias among them. Here's why. more
Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for .GI, the country code Top Level Domain (ccTLD) for Gibraltar, .MN for Mongolia, and .SC for the Seychelles. more
This week, at the 79th Internet Engineering Task Force (IETF) meeting in Beijing, China, Afilias and DotAsia jointly announced that Domain Name System Security Extensions (DNSSEC) has been enabled for the .ASIA top-level domain. more
A World-Renowned Source for Internet Developments. Serving Since 2002.
