The recent news that .uk, .arpa and .org may sign their zones sometime this year is indeed good news. Each domain is highly significant... As the DNSSEC registry infrastructure moves inexorably forward -- primarily driven by top level pressure and considerations of National Interest -- it now behoves us to clearly articulate the benefits of DNSSEC to domain owners and registrars. In particular I want to focus on the vast majority of us to whom cold, hard cash is important and parting with it requires as a minimum tangible benefits or, in extreme cases, surgical intervention. more
As expected, VeriSign raised the price of domain names, effective in October. New prices wholesale prices (to the registrar) for .com domain names are going from $6.42 to $6.86, while .net will increase from $3.85 to $4.23. This news came a few days ago in a letter to registrars. (Hint to consumers: renew your domains now.) ...So, basically, many if not most of VeriSign's registry costs have been falling at an exponential rate. Hard disk storage, computing performance, bandwidth, RAM storage... yet the cost is going up. How is this justified? more
Day two of Domain Pulse 2008 last Friday (see review of day one) focused on online security issues giving the techies amongst us details of security issues, and the more policy-orientated amongst us something to chew on in a few other presentations. Kieren McCarthy, these days of ICANN, also gave some insights into the drawn out sex.com drama with more twists and turns than the average soap opera has in a year! And Randy Bush outlined the problems with IPv6. Among other presentations... more
The Internet Governance Project has unearthed a consultancy report to the U.S. Department of Homeland Security (DHS) that makes it clear that the issue of root signing and DNSSEC key management has been recognized as a political issue within the US government for long time. more
After looking at the state of DNSSEC in some detail a little over a year ago in 2006, I've been intending to come back to DNSSEC to see if anything has changed, for better or worse, in the intervening period... To recap, DNSSEC is an approach to adding some "security" into the DNS. The underlying motivation here is that the DNS represents a rather obvious gaping hole in the overall security picture of the Internet, although it is by no means the only rather significant vulnerability in the entire system. One of the more effective methods of a convert attack in this space is to attack at the level of the DNS by inserting fake responses in place of the actual DNS response. more
There is currently a discussion going on between Milton Mueller and Patrik Fältström over the deployment of DNSSEC on the root servers. I think the discussion exemplifies the difficult relation between those who develop standards and those who use them. On the one hand, Milton points out that the way the signing of the root zone will be done will have a great influence on the subjective trust people and nation states will have towards the system. On the other hand, Patrik states that "DNSSEC is just digital signatures on records in this database". Both are right, of course, but they do not speak the same language... more
I was talking to my good friend Verner Entwhistle the other day when he suddenly turned to me and said "I don't think we need DNSSEC". Sharp intake of breath. Transpired after a long and involved discussion his case boiled down to four points: 1. SSL provides known and trusted security, DNSSEC is superfluous, 2. DNSSEC is complex and potentially prone to errors, 3. DNSSEC makes DoS attacks worse, 4. DNSSEC does not solve the last mile problem. Let's take them one at a time... more
DNS rebinding attacks are real and can be carried out in the real world. They can penetrate through browsers, Java, Flash, Adobe and can have serious implications for Web 2.0-type applications that pack more code and action onto the client. Such an attack can convert browsers into open network proxies and get around firewalls to access internal documents and services. It requires less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers. Everyone is at risk and relying on network firewalls is simply not enough. In a paper released by Stanford Security Lab, "Protecting Browsers from DNS Rebinding Attacks," authors Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh provide ample detail about the nature of this attack as well as strong defenses that can be put in place in order to help protect modern browsers. more
ICANN has embarked on the IDN boat at the same time it wants to introduce DNSSEC and new gTLDs. This promises lots of fun. Or grey hair, depending how you look at it. First is the issue of country code IDNs. The ISO-3166 table, based on two letter codes, is a western convention. Some cultures do not use abbreviations or acronyms. Some do not use a character-based alphabet, but a syllabic one. Hence, the next logical step would be to represent the full country name in local script, rather than a transliteration of the ISO string... Imagine the case of India, where there are 1.652 languages, of which 24 are spoken by more than one million people... more
One of my staff members pointed me to an article by Mikko Hyppönen in Foreign Policy. In this article Mikko argues that a new top level domain (TLD) like .bank for some reason would prevent on-line fraud, at least partially. Mikko seems to be arguing that with a dedicated TLD registry for financial institutions and a fee high enough to act as an entry barrier you would have a trustworthy bank domains that would be immune against today's phising attempts... more
A World-Renowned Source for Internet Developments. Serving Since 2002.