DNS Security

DNS Security / Most Commented

Announcement: Critical Internet Infrastructure WG is Now Open to Public Participation

ISOTF Critical Internet Infrastructure WG is now open to public participation. The group holds top experts on internet technology, critical infrastructure, and internet governance, from around the globe. Together, we discuss definitions, problems, challenges and solutions in securing and assuring the reliability of the global internet infrastructure, which is critical infrastructure for a growing number of nations, corporations and indeed, individuals -- world wide. more

DNS Survey Results Pandora’s Box of Both Frightening and Hopeful Results, Says Cricket Liu

The fifth-annual survey of domain name servers (DNS) on the public Internet -- called a "Pandora's box of both frightening and hopeful results" -- was released today by The Measurement Factory in partnership with Infoblox. more

ICANN 36 Preview: What’s ‘On Sale’ in Seoul

Last time the ICANN faithful gathered in Sydney, there was a fair bit of unrest and some big unknowns. The Implementation Recommendation Taskforce (IRT) report on how Intellectual Property (IP) could be protected in the era of new Top-Level Domains (TLDs) stirred the pot as did, to a lesser extent, the issue of Registry-Registrar separation in new TLDs. Additionally, everyone had big questions on their minds - when the root would be signed (and DNSSEC fully implemented)... Four months later and five thousand miles almost due north, the netizens gathering at ICANN 36 in Seoul know the answers to some of those very important questions. more

RIPE at 59!

RIPE, or Réseaux IP Européens, is a collaborative forum open to all parties interested in wide area IP networks in Europe and beyond... RIPE has been a feature of the European Internet landscape for some twenty years now, and it continues to be a progressive and engaged forum. These days RIPE meets twice a year, and the most recent meeting was held at Lisbon, Portugal, from the 5th to the 9th of October 2009. In this column I'd like to share some of my impressions of this meeting. more

Rod Beckstrom’s First 100 Days at ICANN

Rod Beckstrom took over as ICANN President/CEO on July 1, 2009, so October 9th marked his 100th day in office -- and a good opportunity to examine the progress made by ICANN during his short tenure. ...to borrow an analogy from American football: when you have the ball in the Red Zone, you need to score touchdowns, not field goals. So far, under Rod's leadership, ICANN has moved down the field on a number of issues. In particular, ICANN scored a "touchdown heard round the world" by bringing the MoU/JPA to a successful conclusion. more

Canada Launching DNSSEC Test-Bed for Country’s .CA Domain

The Canadian Internet Registration Authority (CIRA) for the .ca country code Top-Level Domain yesterday announced the launch of a test-bed initiative for DNSSEC. CIRA’s Chief Information Officer, Norm Ritchie who made the official announcement at the SecTor security conference in Toronto, says it began the process of implementing DNSSEC in early 2009 and the implementation date is set for 2010. So far, over 15 Top-Level Domains have already deployed DNSSEC including dot-gov and dot-org. more

DNSSEC Signed ROOT by 1 July 2010

Mehmet Akcin writes: As announced today as part of RIPE meeting in Lisbon, Portugal by Joe Abley, DNS Group Director at ICANN, and Matt Larson, Vice President of DNS Research at VeriSign, in their presentation (Page 25), DNSSEC for the root zone is proposed to be fully deployed by July 1, 2010. The Draft Timeline suggests Root zone being signed by December 1, 2009 while initially staying internal to ICANN and VeriSign. The incremental roll out of the signed root would then take place from January until July 2010. more

Root Scaling Study Report is Out

Earlier this year, ICANN began to seriously consider the various effects of adding DNS protocol features and new entries into the Root Zone. With the NTIA announcement that the Root Zone would be signed this year, a root scaling study team was formed to assess the scalability of the processes used to create and publish the Root Zone. Properly considered, this study should have lasted longer than the 120 days -- but the results suggest that scaling up the root zone is not without risk -- and these risks should be considered before "green-lighting" any significant changes to the root zone or its processes. I, for one, would be interested in any comments, observations, etc. (The caveats: This was, by most measures, a rush job. My spin: This is or should be a risk assessment tool.) Full report available here [PDF]. more

Afilias and Neustar to Collaborate With ISC on DNS Security Initiative

Internet Systems Consortium (ISC) has announced that it is working with Afilias and Neustar, Inc. in the effort to support ISC's DNSSEC Look-aside Validation (DLV) registry by providing secondary DNS service for the DLV zone. DLV is a mechanism that provides many of the benefits of DNSSEC (short for DNS Security Extensions), enabling domain holders to secure their domain information today in advance of broader DNSSEC deployment and adoption. "Adding Afilias and Neustar as secondary DNS providers for the DLV zone demonstrates our collective understanding that DLV is a vitally important production service bigger than any single provider in the same way that there are 13 root server operators, not just one." more

OpenDNSSEC Launched to Help Drive Adoption of DNSSEC

A team of developers including .SE (The Internet Infrastructure Foundation), LNetLabs, Nominet, Kirei, SURFnet, SIDN and John Dickinson have come together to create open source software, called OpenDNSSEC, to make it easier to deploy DNSSEC. Patrik Wallström, responsible for DNSSEC at .SE comments: "In order to spread the use of DNSSEC to an increased number of domain names, the management surrounding this technology must be simplified. Together with a number of collaborators, we're developing OpenDNSSEC. Leveraging our deployment experience, we will produce a well-packaged, easy-to-use and flexible DNSSEC tool that eliminates all manual procedures. Those in charge of name servers no longer need detailed knowledge about the protocol in order to use it." more

When You Hear “Security,” Think “National Sovereignty”

These days you can hardly talk about Internet governance without hearing about security. DNSSEC is a hot issue, ICANN's new president is a cyber-security expert, and cyberattacks seem to be a daily occurrence.
This reflects a larger shift in US policy. Like the Bush administration before it, the Obama administration is making security a high priority for the US. Only now the emphasis is on security in cyberspace. The outlines of the new policy were published in the recent US Cyberspace Policy Review, which even recommends a cyber security office directly in the White House. more

ICANN 35: What’s Going Down, Down Under (Want the Low Down?)

As I've been getting ready to catch my plane for ICANN 35 (Sydney), I can't help but thinking that there are a lot of things going down these days that will dramatically affect makeup of the Internet for years to come. Next year at this time, the root could be a very, very different place. A few of the items that will be getting deconstructed, discussed, debated Down Under are outlined below... more

Survey Finds “Complexity” as Most Common Challenge in Deploying DNSSEC

According to a recent survey conducted by the European Network and Information Security Agency (ENISA), 78% of service providers in Europe have plans to deploy DNSSEC within the next 3 years. On the other hand, the study also found 22% have no plans to deploy DNSSEC in the next 3 years. more

Why DNS Is Broken, Part 1: Trust

So this Internet thing, as we discussed in our last article, is broken. I promised to detail some of the specific things that are broken. Implicit trust is the Achilles heel of the Internet... All of the communication between the resolver and the DNS server is in plain text that can be easily seen and changed while in transit, further, the resolver completely trusts the answer that was returned... more

DNS Insecurity

The Internet as we know it and use it today -- is broken, badly broken. Yes broken so much so that we are really crazy to have any expectations of privacy or security. Yes, really. The Internet was conceived as somewhat of a utopian environment, one where we all keep our doors, windows and cars unlocked and we trust all the people and machines out there to "do the right thing...". more