DNS Security

DNS Security / Featured Blogs

DNS… Wait a SEC

Complete DNSSEC implementation requires that domains are authenticated at the root by the Registry, and that DNS zones and records are authenticated as well. Now before I go any further, let me begin by stating that I fully support the development and deployment of DNSSEC and that the vulnerabilities presented by Cache Poisoning are very real, especially for those websites collecting login credentials or other types of sensitive information. more

DNSSEC No Longer Pie-in-the-Sky: Time to Develop a Strategy

You may have seen media reports a few weeks ago describing how servers behind the so-called Great Firewall of China were found delivering incorrect DNS information to users in the rest of the world, thereby redirecting users to edited Web pages. Reports indicate that this apparently occurred due to a caching error by a single Internet Service Provider. While the problem was fairly limited in scope, it could have entirely been prevented in a world where DNSSEC was fully deployed. more

DNSSEC Ready Set Go! But, Wait, Are You Ready?

The year 2010 is turning out to be the "year of DNSSEC" from Registry implementations, Registrar implementations, ISP support, to the Root being signed this summer. Because we are dealing with such critical infrastructure, it is important to not lose sight of careful implementations. more

MIT 2010 Spam Conference Starts Tomorrow…

In January we presented the glorious history of the MIT spam conference, today we present the schedule for the first day. Opening session will be from this author, Garth Buren with a topic entitled The Internet Doomsday Book, with details be released the same day as the presentation. Followed by Dr. Robert Bruen with a review of activities since the last MIT spam conference... more

OpenDNS Adopts Proposed DNS Security Solution: DNSCurve

For more than 15 years, the IETF has been working on DNSSEC, a set of extensions to apply digital signatures to DNS. Millions of dollars in government grants and several reboots from scratch later, DNSSEC is just starting to see real world testing. And that testing is minimal -- only about 400 of the more than 85,000,000 .com domains support DNSSEC, fewer than 20% of US government agencies met their mandated December 31, 2009 deadline for DNSSEC deployment, and only two of the thirteen root zone name servers is testing with even dummy DNSSEC data. more

DNS Resolvers and DNSSEC: Roll Over and Die?

Security is great when all the green lights are shining brightly and everything validates as intended, but what happens when you encounter failure? In this work we examine the behaviour of the DNS when security, in the form of DNSSEC is added, and we look at what happens when things do not happen as intended. What triggered this examination was a sudden increase in the traffic generated by secondary servers for the in-addr.arpa reverse zones in December 2009. more

IPv6 and the Swedish Public Sector

No one can have failed to notice that the last IPv4 address will soon be allocated. We have lived with a shortage of addresses for 15 years, but when the last address is allocated, the shortage will become acute, instead of just a pain, as it is today... In The Hitchhiker's Guide to the Galaxy, Douglas Adams describes the least expensive and most effective method for making something invisible. You simply decide that it is Someone Else's Problem or SEP, if you abbreviate. This is an approach that is frighteningly similar to the Swedish public sector's view of the address shortage on the Internet. "It is not our problem -- if we ignore it, it will probably go away." more

Swiss Among World Leaders in Enabling DNSSEC

SWITCH, the registry for .CH and .LI domain names, enabled DNSSEC on day two of the annual Domain Pulse conference in Luzern yesterday. SWITCH became the third ccTLD registry to enable DNSSEC giving registrants of .CH domain names added security following .SE (Sweden) and .CZ (Czech Republic). more

Domain Name Security Gains Prominence in German-Speaking World

The 2010 Domain Pulse, hosted by SWITCH (the .CH registry) was held in the snowy Swiss city of Luzern. Domain Name Security (DNS) was of particular importance in this year's meeting with DNSSEC being implemented in the root zone in 2010 by ICANN, and by many registries in the next few years. ICANN plan to have all root servers signed with DNSSEC by mid-2010 Kim Davies, Manager, Root Zone Services at ICANN told the meeting, starting with the L root server, then A root server with the last being the J root server as all are gradually signed. more

DNSSEC: Will Microsoft Have Enough Time?

I have previously pointed out the shortcomings of good and user friendly support for DNSSEC in Microsoft's Server 2008 R2. During the period just after I wrote the post, I had a dialogue with Microsoft, but during the last months there has been no word at all. The reason I bring this up again is that more and more Top Level Domains (TLDs) now enable DNSSEC and also the fact that within six months the root will be signed. more