For nearly all communications on today's Internet, domain names play a crucial role in providing stable navigation anchors for accessing information in a predictable and safe manner, irrespective of where you're located or the type of device or network connection you're using. Over the past 15 years hundreds of millions of domain names have been added to the Internet's Domain Name System (DNS), and well over two billion (that's Billion!) new users, some ~34 percent of the global population, have become connected. more
Today ICANN releases a paper with the title "DNSSEC @ ICANN - Signing the root zone: A way forward toward operational readiness". The paper explains in more detail than earlier documents what ICANN view on signing of the root zone is. I think the key points mentioned in this paper are true, and in general, I think this document is a good read. It is not long, and summarizes what I would call the current view is. more
Respected ICANN Chairman of the Board Steve Crocker has wrapped up his organisation's 47th International Meeting, held in Durban last week, with a message to the community. This message, reproduced here in its entirety, provides both a useful and concise summary of the Durban meeting and insights into the Chairman's view of where ICANN stands at the moment, the successes it has notched up and the challenges it faces. more
Only two years after signing the DNS root zone, the powerful lure of a secure global infrastructure for data distribution is starting to reveal itself. It is illustrated clearly by two proposed technical standardizations that seek to leverage secure DNS. To some degree these developments highlight the strength of DNS institutions and how they might fill gaps elsewhere in the Internet's governance. But an increasing reliance upon and concentration of power in the DNS also makes getting its global governance correct even more important. more
Did you know that over 50% of .CZ domains are now signed with DNS Security Extensions (DNSSEC)? Or that over 2.5 million .NL domains and almost 1 million .BR domains are now DNSSEC-signed? Were you aware that around 80% of DNS clients are now requesting DNSSEC signatures in their DNS queries? And did you know that over 100,000 email domains are using DNSSEC and DANE to enable secure email between servers? more
The Internet Society today announced it has signed a Memorandum of Understanding with Shinkuro and Parsons to collaborate on multiple initiatives to promote the global deployment of Domain Name System Security Extensions (DNSSEC). more
Comcast, a leading ISP in the U.S., has fully deployed Domain Name System Security Extensions (DNSSEC) according to a company announcement today. Jason Livingood, Comcast's Vice President of Internet Systems writes: "As of today, over 17.8M residential customers of our Xfinity Internet service are using DNSSEC-validating DNS servers. In addition, all of the domain names owned by Comcast, numbering over 5,000, have been cryptographically signed. All of our servers, both the ones that customers use and the ones authoritative for our domain names, also fully support IPv6." more
For a long time, arguments about the meaning of "DNS Abuse" prevented fruitful discussions within the ICANN community on when and how it is appropriate to act at the level of the DNS to address abuses online. The proposed amendments to RA and RAA agreements represent a significant and welcomed step in the right direction. As Secretariat of the Internet & Jurisdiction Policy Network (I&JPN), we strongly encourage their adoption... more
Sender Address Validation and Authentication (SAVA) is the silver bullet. It will send to Cyberia all dark forces that make us shiver when we make a purchase on the internet, pose a threat to our very identities and have made DDoS a feared acronym. Some of you will remember the heated debates when Calling Line Identification (CLID) was first introduced in telephony. Libertarians of all stripes called passionately to ban such an evil tool... more
In a little over two weeks, precisely in 17 days (on 11 October 2018 at 16:00 UTC), ICANN will roll the Domain Name System Security Extensions (DNSSEC) root Key Signing Key (KSK). If you are a Domain Name System (DNS) and DNSSEC expert already engaged globally on the topic, you are certainly both well aware and ready for the rollover. This article is probably not for you! If however, you are out there focused on your day to day running or managing a DNS infrastructure... more
In 2021, we discussed a potential future shift from established public-key algorithms to so-called "post-quantum" algorithms, which may help protect sensitive information after the advent of quantum computers. We also shared some of our initial research on how to apply these algorithms to the Domain Name System Security Extensions, or DNSSEC. In the time since that blog post, we've continued to explore ways to address the potential operational impact of post-quantum algorithms on DNSSEC, while also closely tracking industry research and advances in this area. more
It's unclear what this means in the long run. Do bad actions and actors go undetected? Do we lose our visibility into network management? What is a "secure" network, and how do we secure it using traditional techniques of network perimeter traffic inspection when all the network traffic is opaque? If we can't see inside the DNS anymore, then how can we tell if (or when) the DNS has been captured by one or two digital behemoths? more
Complete DNSSEC implementation requires that domains are authenticated at the root by the Registry, and that DNS zones and records are authenticated as well. Now before I go any further, let me begin by stating that I fully support the development and deployment of DNSSEC and that the vulnerabilities presented by Cache Poisoning are very real, especially for those websites collecting login credentials or other types of sensitive information. more
How can we track the amount of DNSSEC validation happening globally? Is there a way we can see the trend over time to (we hope!) see validation rise? At the recent excellent DNSSEC Workshop at ICANN 50 in London Geoff Huston let me know that his APNIC Labs team has now created this exact type of trend chart. more
The U.S. House Judiciary Committee is investigating Google's plans to implement DNS over HTTPS (DoH) in Chrome according to a report by the Wall Street Journal over the weekend. more