Welcome:
Login
|
Sign Up
|
About CircleID
Follow:
|
|
|
DNS Operations, Analysis, and Research Center (DNS-OARC) held its 30th meeting in Bangkok on the 12th and 13th May. Here's what attracted my interest from two full days of DNS presentations and conversations, together with a summary of the other material that was presented at this workshop. Some Bad News for DANE (and DNSSEC): For many years the Domain Name X509 certification system, or WebPKI, has been the weak point of Internet security... more
If you are interested in speaking at the ICANN 68 DNSSEC Workshop, please send a brief (1-2 sentence) description of your proposed presentation to [email protected] by 29 May 2020. This online workshop will be Monday, 22 June 2020, from 02:00 – 04:30 UTC (10:00 – 12:30 Kuala Lumpur) We are doing something new this time and would like to get a feel for attendance for this virtual meeting. more
The EU has been pushing for the development of DNS4EU, a public European DNS resolver with built-in filtering capabilities, as a way to strengthen the "digital sovereignty" of the EU and protect citizens, companies, and public institutions from phishing attacks and malware. In December 2021, a consortium of 13 public and private companies from ten European countries were granted the project to build a public DNS resolution service tailored for the EU. more
In late August the White House mandated that all of the agencies in the US government have functioning DNSSEC capabilities deployed and operational by December 2009. I am suggesting here that we, as a community, commit to the same timetable. I call upon VeriSign and other registries to bring up DNSSEC support by January 2009. more
One of my staff members pointed me to an article by Mikko Hyppönen in Foreign Policy. In this article Mikko argues that a new top level domain (TLD) like .bank for some reason would prevent on-line fraud, at least partially. Mikko seems to be arguing that with a dedicated TLD registry for financial institutions and a fee high enough to act as an entry barrier you would have a trustworthy bank domains that would be immune against today's phising attempts... more
Do you have information about DNS security or routing security that you would like to share with the global community? Have you developed a new tool or system in this area? Do you have results from a research project that you want to share with a technical community? If so, please consider submitting a proposal to the DNSSEC and Security workshop to be held at ICANN 74 in June 2022. more
In today's interconnected world, your business's online identity is increasingly more vulnerable than ever. With the rapid advancement of AI and 6G technologies, cyber threats are evolving at an alarming rate, making it critical to protect your brand's digital presence. How can businesses proactively safeguard their online identity in this changing landscape? more
Privacy problems are an area of wide concern for individual users of the Internet -- but what about network operators? Geoff Huston wrote an article earlier this year concerning privacy in DNS and the various attempts to make DNS private on the part of the IETF -- the result can be summarized with this long, but entertaining, quote. more
The project to sign the DNS root zone with DNSSEC took an additional step toward completion yesterday with the last of the "root server" hosts switching to serving signed DNSSEC data. Now every DNS query to a root server can return DNSSEC-signed data, albeit the "deliberately unvalidatable" data prior to the final launch. Another key piece for a working signed root is the acceptance of trust anchors in the form of DS records from top-level domain operators. These trust anchors are used to form the chain of trust from the root zone to the TLD. more
Over the past several years, domain name queries - a critical element of internet communication - have quietly become more secure, thanks, in large part, to a little-known set of technologies that are having a global impact. Verisign CTO Dr. Burt Kaliski covered these in a recent Internet Protocol Journal article, and I'm excited to share more about the role Verisign has performed in advancing this work and making one particular technology freely available worldwide. more
Ten years ago today, and with 300,000 domains in the zone file, we introduced DNSSEC at .se. It was the end of a fairly long journey, or at least the first stage. The first Swedish workshop to test the new function according to the specifications from the Internet Engineering Task Force was arranged in 1999. At that time, I was still working in the IT Commission's Secretariat, and the standard was far from complete as it turned out. Our ambition was to change the world, at least the world that exists on the internet. more
Decentralization is a big trend in IT, and everyone has their own definition of what "decentralization" really means. With more organizations fully embracing a work-from-anywhere culture, decentralization has moved past being a fad and turned into a necessity. Decentralized cybersecurity is nothing new. Many of us have been doing it since before the pandemic. more
With DNSSEC for the root zone going into production in a couple of weeks, it is now possible for Top Level Domain (TLD) managers to submit their Delegation Signer (DS) information to IANA. But what does this really mean for a TLD? In this post we're going to try to sort that out. more
The non-contracted parties of the ICANN community met in Reykjavík last week for their annual intersessional meeting, where at the top of the agenda were calls for more transparency, operational consistency, and procedural fairness in how ICANN ensures contractual compliance. ICANN, as a quasi-private cooperative, derives its legitimacy from its ability to enforce its contracts with domain name registries and registrars... more
In my last post, I looked at what happens when a DNS query renders a "negative" response -- i.e., when a domain name doesn't exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries. The concepts I discuss below are topics we've studied in our long-term research program as we evaluate new technologies. more
A World-Renowned Source for Internet Developments. Serving Since 2002.