A few weeks ago, on Oct. 1, 2016, Verisign successfully doubled the size of the cryptographic key that generates DNSSEC signatures for the internet's root zone. With this change, root zone DNS responses can be fully validated using 2048-bit RSA keys. This project involved work by numerous people within Verisign, as well as collaborations with ICANN, Internet Assigned Numbers Authority (IANA) and National Telecommunications and Information Administration (NTIA). more
In its security bulletin, Akamai's Security Intelligence Response Team (SIRT) reported on abuse of DNS Security Extensions (DNSSEC) when mounting a volumetric reflection-amplification attack. This is not news, but I'll use this opportunity to talk a bit about whether there is a trade-off between the increased security provided by DNSSEC and increased size of DNS responses that can be leveraged by the attackers. more
The IETF held its 115th meeting in London in November 2022. This was another in the set of hybrid meetings with specific support for online attendees in addition to the normal face-to-face meetings for the week. In no particular order, here are a few of my impressions from the IETF meeting. more
Andrew McLaughlin reporting in the White House website: "Last week marked a significant advance in the security of the Internet. After years of intensive design, testing, and implementation work, the Internet's domain name system now has a new security upgrade that allows Internet service providers and end users alike to protect against an important online vulnerability: the clandestine redirecting of online communications to unwanted destinations." more
For the last couple of years, the most common attack vector against the DNS system is the attack against the registrar. Either the attack is on the software itself using weaknesses in the code that could inject DNS changes into the TLD registry, or social engineering the registrar support systems and the attacker receives credentials that in turn allows the attacker to perform malicious changes in DNS. DNSSEC is the common security mechanism that protects the DNS protocol, but by using the registrar attack, any changes will result in a proper working DNS delegation. more
Friday marks the beginning of the ICANN 57 meeting in Hyderabad, India. As per usual there will be a range of activities related to DNSSEC or DANE. Two of the sessions will be streamed live and will be recorded for later viewing. Here is what is happening. All times below are India Standard Time (IST), which is UTC+05:30. Please do join us for a great set of sessions about how we can work together to make the DNS more secure and trusted! more
Domain Name System (DNS) Operators (Registries and Registrars) receive notices asking them to take action on a wide range of alleged technical and content-related abuses. However, there is a fundamental question of when it is appropriate to act at the DNS level and the evaluation of whether the alleged abuse meets a sufficient threshold for action at the DNS level. Additionally, given the volume of abuses occurring on the internet, existing resources, mechanisms, and protocols available in-house to Operators are in many cases insufficient to address abuses in a timely fashion. more
Do you have information or an idea you would like to share with members of the broader DNS / DNSSEC community? Have you developed a new tool that makes DNSSEC or DANE deployment easier? Have you performed new measurements? Would you like feedback about a new idea you have? Would you like to demonstrate a new service you have? If so, we're seeking proposals for the DNSSEC Workshop to be held at ICANN57 in Hyderabad, India, in early November 2016. more
There has been plenty of buzz and chatter on the Internet recently concerning a very large DDoS attack against CloudFlare, with coverage on their blog, the New York Times, and the BBC, among many others. While attacks of this nature are certainly nothing new, the scale of this attack was surprising, reported to hit 120Gbps. For a sense of scale, your average cable modem is only about 20Mbps, or about 0.016% of that bandwidth. more
DNS Abuse and how to address it has been the topic of intense, often conflictual, and rarely conclusive discussions for many years, starting with the very definition of the term and the degree of responsibility bestowed upon DNS operators. In 2018, after several months of intersessional work, the Internet & Jurisdiction Global Conference brought together in Ottawa more than 200 key stakeholders to define a roadmap to address certain jurisdictional challenges on the Internet, including DNS abuse. more
ICANN will hold the first Root Zone DNSSEC KSK Ceremony on Wednesday 2010-06-16 in Culpeper, VA, USA. ... Attendance within the key ceremony room itself will be limited to just those with an operational requirement to execute the ceremony. However, since this event has generated significant interest, we have made additional space available in an adjacent room for observers who wish to attend the event. more
The ICANN Security and Stability Advisory Committee (SSAC) and the Internet Society Deploy360 Programme are planning a DNSSEC and Security Workshop on Wednesday, 06 November 2019, during the ICANN66 meeting held from 02-07 November 2019 in Montreal, Canada. The original DNSSEC Workshop has been a part of ICANN meetings for many years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. more
DNSSEC is a hot topic. It's a technology newly unleashed on popular networking, which has led to countless articles and posts on the subject, including right here on CircleID. The way a lot of articles try to get your attention is to talk about a technology, like DNSSEC, in a way that makes the technology either seem really significant or really complicated. That is why a lot of articles about DNSSEC make it sound like something huge, complicated, and scary. But it's not. more
A DNSSEC failure plunged hundreds of Russian-language websites into darkness on Tuesday evening, rendering .ru and .рф domains inaccessible. The outage affected users both within and outside Russia, with major platforms such as Tinkoff Bank, Avito, Wildberries, Yandex, and MTS experiencing disruptions. more
Maintaining an 150 year old house requires two things, a lot of time and a lot of trips to the hardware store. Since the closest hardware store to my house is Home Depot, it is rare that a weekend passes without at least one trip to Home Depot. So now in the wake of the Home Depot data breach I am through no fault of my own in a situation where any or all of the bank cards I use regularly could be cancelled if the issuer decides they might be compromised. And this is not the first time this has happened to me this year. more
A World-Renowned Source for Internet Developments. Serving Since 2002.