DNS Security

DNS Security / Most Viewed

Trusted Notifier Arrangements Require Trust: Why Unpacking Misunderstandings Around Trusted Notifiers Is Important for Dealing With DNS-related Abuse

Domain Name System (DNS) Operators (Registries and Registrars) receive notices asking them to take action on a wide range of alleged technical and content-related abuses. However, there is a fundamental question of when it is appropriate to act at the DNS level and the evaluation of whether the alleged abuse meets a sufficient threshold for action at the DNS level. Additionally, given the volume of abuses occurring on the internet, existing resources, mechanisms, and protocols available in-house to Operators are in many cases insufficient to address abuses in a timely fashion. more

Security Through Obscurity as an Institution

One of my staff members pointed me to an article by Mikko Hyppönen in Foreign Policy. In this article Mikko argues that a new top level domain (TLD) like .bank for some reason would prevent on-line fraud, at least partially. Mikko seems to be arguing that with a dedicated TLD registry for financial institutions and a fee high enough to act as an entry barrier you would have a trustworthy bank domains that would be immune against today's phising attempts... more

DNSSEC Rally

In late August the White House mandated that all of the agencies in the US government have functioning DNSSEC capabilities deployed and operational by December 2009. I am suggesting here that we, as a community, commit to the same timetable. I call upon VeriSign and other registries to bring up DNSSEC support by January 2009. more

A Report on DNS Operations, Analysis, and Research Center (DNS-OARC) 30th Meeting

DNS Operations, Analysis, and Research Center (DNS-OARC) held its 30th meeting in Bangkok on the 12th and 13th May. Here's what attracted my interest from two full days of DNS presentations and conversations, together with a summary of the other material that was presented at this workshop. Some Bad News for DANE (and DNSSEC): For many years the Domain Name X509 certification system, or WebPKI, has been the weak point of Internet security... more

OARC-39: Notes on the Recent DNS Operations, Analysis, and Research Centre Workshop

OARC held its fall meeting in Belgrade on October 22 and 23. Here are my impressions of some of the presentations from that meeting... UI, UX, and the Registry/Registrar Landscape - One of the major reforms introduced by ICANN in the world of DNS name management was the separation of registry and registrar functions. The intent was to introduce competition into the landscape by allowing multiple registries to enter names into a common registry. more

Remote Work Demands Encryption

Now that we are all working from home (WFH), the need for encryption must also increase in priority and awareness. Zoom's popular video conferencing solution got in hot water because they promised "end-to-end" encryption but didn't deliver on it - prompting some organizations to ban it from use altogether. Encryption protects confidential information from being exposed in transmission, providing a secure way for the intended recipient to get the information without snooping by others. more

How to Place Top-Level Domain Trust Anchors in the Root

The project to sign the DNS root zone with DNSSEC took an additional step toward completion yesterday with the last of the "root server" hosts switching to serving signed DNSSEC data. Now every DNS query to a root server can return DNSSEC-signed data, albeit the "deliberately unvalidatable" data prior to the final launch. Another key piece for a working signed root is the acceptance of trust anchors in the form of DS records from top-level domain operators. These trust anchors are used to form the chain of trust from the root zone to the TLD. more

What’s in Your DNS Query?

Privacy problems are an area of wide concern for individual users of the Internet -- but what about network operators? Geoff Huston wrote an article earlier this year concerning privacy in DNS and the various attempts to make DNS private on the part of the IETF -- the result can be summarized with this long, but entertaining, quote. more

Call for Participation – ICANN DNSSEC and Security Workshop for ICANN76 Community Forum

Are you doing something interesting with DNS, DNSSEC, or routing security that you would like to share with the larger DNS community at the ICANN 76 meeting in March 2023? If so, please send a brief (1 -- 3 sentence) description of your proposed presentation to [email protected] by the close of business on Friday, 20 January 2023. Are you doing something interesting with DNS, DNSSEC, or routing security that you would like to share with the larger DNS community at the ICANN 76 meeting in March 2023? more

Ten Years of Secure DNS at .se! (What We Learned)

Ten years ago today, and with 300,000 domains in the zone file, we introduced DNSSEC at .se. It was the end of a fairly long journey, or at least the first stage. The first Swedish workshop to test the new function according to the specifications from the Internet Engineering Task Force was arranged in 1999. At that time, I was still working in the IT Commission's Secretariat, and the standard was far from complete as it turned out. Our ambition was to change the world, at least the world that exists on the internet. more

Top Level Domains and a Signed Root

With DNSSEC for the root zone going into production in a couple of weeks, it is now possible for Top Level Domain (TLD) managers to submit their Delegation Signer (DS) information to IANA. But what does this really mean for a TLD? In this post we're going to try to sort that out. more

At the NCPH Intersessional, Compliance Concerns Take Centre Stage

The non-contracted parties of the ICANN community met in Reykjavík last week for their annual intersessional meeting, where at the top of the agenda were calls for more transparency, operational consistency, and procedural fairness in how ICANN ensures contractual compliance. ICANN, as a quasi-private cooperative, derives its legitimacy from its ability to enforce its contracts with domain name registries and registrars... more

Decentralizing Cybersecurity Via DNS

Decentralization is a big trend in IT, and everyone has their own definition of what "decentralization" really means. With more organizations fully embracing a work-from-anywhere culture, decentralization has moved past being a fad and turned into a necessity. Decentralized cybersecurity is nothing new. Many of us have been doing it since before the pandemic. more

Arbor Networks: Internet Architecture and Operations Facing Perfect Storm

According to the latest Infrastructure Security Report by Arbor Netowrks, the Internet architecture and operations is about to face a perfect storm with the convergence of issues including IPv4 to IPv6 migration, implementation of DNS Security Extensions (DNSSEC) and to 4-byte ASNs (used for inter-domain routing on the Internet). "Any one of these changes alone would constitute a significant architectural and operational challenge for network operators; considered together, they represent the greatest and potentially most disruptive set of circumstances in the history of the Internet, given its growth in importance to worldwide communications and commerce," says the report.
 more

Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries

In my last post, I looked at what happens when a DNS query renders a "negative" response -- i.e., when a domain name doesn't exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries. The concepts I discuss below are topics we've studied in our long-term research program as we evaluate new technologies. more