Consultant, developer, trainer and author
Joined on October 4, 2005
Total Post Views: 73,065
About |
Ronald (Ron) Aitchison - Ron is the President of Zytrax, Inc. a Montreal based company that specializes in wireless and wire-line IP communications. Zytrax develops its own products as well as undertaking specialized consulting, training, system design and development for clients. Zytrax supports its own and customer hosted DNS, Web, email and LDAP services on a mixed network of FreeBSD, Windows and the occasional Linux systems and has been an Open Source user since 1998.
He is the author of Pro DNS and BIND (ISBN 1590594940) published by Apress in August 2005 and the mistitled Pro DNS and BIND 10 published by apress in 2010. Prior to founding Zytrax in 1994 Ron worked in senior roles in development, sales and marketing in both Europe and the US.
He started his computer career in 1973 as a grunt systems programmer developing communications software for mainframes in a 19th century Palace outside of Edinburgh, Scotland. He moved into sales and marketing for a number of years before returning to real – technical - work when he established Zytrax. He was educated in Mechanical Engineering at the University of Strathclyde in Glasgow, Scotland a long time ago.
Except where otherwise noted, all postings by Ron Aitchison on CircleID are licensed under a Creative Commons License.
DNS-over-TLS has recently become a welcome addition to the range of security protocols supported by DNS. It joins TSIG, SIG(0) and DNSSEC to add privacy, and, in the absence of validating stub resolvers, necessary data integrity on the link between a full-service resolver and the users' stub resolver. (The authenticated source feature of TLS may also offer some additional benefits for those of a nervous disposition.) Good stuff. What is not good stuff is... more
The recent news that .uk, .arpa and .org may sign their zones sometime this year is indeed good news. Each domain is highly significant... As the DNSSEC registry infrastructure moves inexorably forward -- primarily driven by top level pressure and considerations of National Interest -- it now behoves us to clearly articulate the benefits of DNSSEC to domain owners and registrars. In particular I want to focus on the vast majority of us to whom cold, hard cash is important and parting with it requires as a minimum tangible benefits or, in extreme cases, surgical intervention. more
I was talking to my good friend Verner Entwhistle the other day when he suddenly turned to me and said "I don't think we need DNSSEC". Sharp intake of breath. Transpired after a long and involved discussion his case boiled down to four points: 1. SSL provides known and trusted security, DNSSEC is superfluous, 2. DNSSEC is complex and potentially prone to errors, 3. DNSSEC makes DoS attacks worse, 4. DNSSEC does not solve the last mile problem. Let's take them one at a time... more
Seems that DNSSEC is being subjected to what an old boss of mine used to call the "fatal flaw seeking missiles" which try to explain the technical reasons that DNSSEC is not being implemented. First it was zone walking, then the complexity of Proof of Non-Existence (PNE), next week ... one shudders to think. While there is still some modest technical work outstanding on DNSSEC, NSEC3 and the mechanics of key rollover being examples, that work, of itself, does not explain the stunning lack of implementation or aggressive planning being undertaken within the DNS community. more