Welcome:
Login
|
Sign Up
|
About CircleID
Follow:
|
|
|
DNS Security |
Sponsored by |
|
In late August the White House mandated that all of the agencies in the US government have functioning DNSSEC capabilities deployed and operational by December 2009. I am suggesting here that we, as a community, commit to the same timetable. I call upon VeriSign and other registries to bring up DNSSEC support by January 2009. more
Do you have information about DNS security or routing security that you would like to share with the global community? Have you developed a new tool or system in this area? Do you have results from a research project that you want to share with a technical community? If so, please consider submitting a proposal to the DNSSEC and Security workshop to be held at ICANN 74 in June 2022. more
Over the past several years, domain name queries - a critical element of internet communication - have quietly become more secure, thanks, in large part, to a little-known set of technologies that are having a global impact. Verisign CTO Dr. Burt Kaliski covered these in a recent Internet Protocol Journal article, and I'm excited to share more about the role Verisign has performed in advancing this work and making one particular technology freely available worldwide. more
Ten years ago today, and with 300,000 domains in the zone file, we introduced DNSSEC at .se. It was the end of a fairly long journey, or at least the first stage. The first Swedish workshop to test the new function according to the specifications from the Internet Engineering Task Force was arranged in 1999. At that time, I was still working in the IT Commission's Secretariat, and the standard was far from complete as it turned out. Our ambition was to change the world, at least the world that exists on the internet. more
The project to sign the DNS root zone with DNSSEC took an additional step toward completion yesterday with the last of the "root server" hosts switching to serving signed DNSSEC data. Now every DNS query to a root server can return DNSSEC-signed data, albeit the "deliberately unvalidatable" data prior to the final launch. Another key piece for a working signed root is the acceptance of trust anchors in the form of DS records from top-level domain operators. These trust anchors are used to form the chain of trust from the root zone to the TLD. more
With DNSSEC for the root zone going into production in a couple of weeks, it is now possible for Top Level Domain (TLD) managers to submit their Delegation Signer (DS) information to IANA. But what does this really mean for a TLD? In this post we're going to try to sort that out. more
Decentralization is a big trend in IT, and everyone has their own definition of what "decentralization" really means. With more organizations fully embracing a work-from-anywhere culture, decentralization has moved past being a fad and turned into a necessity. Decentralized cybersecurity is nothing new. Many of us have been doing it since before the pandemic. more
The non-contracted parties of the ICANN community met in Reykjavík last week for their annual intersessional meeting, where at the top of the agenda were calls for more transparency, operational consistency, and procedural fairness in how ICANN ensures contractual compliance. ICANN, as a quasi-private cooperative, derives its legitimacy from its ability to enforce its contracts with domain name registries and registrars... more
In my last post, I looked at what happens when a DNS query renders a "negative" response -- i.e., when a domain name doesn't exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries. The concepts I discuss below are topics we've studied in our long-term research program as we evaluate new technologies. more
According to the latest Infrastructure Security Report by Arbor Netowrks, the Internet architecture and operations is about to face a perfect storm with the convergence of issues including IPv4 to IPv6 migration, implementation of DNS Security Extensions (DNSSEC) and to 4-byte ASNs (used for inter-domain routing on the Internet). "Any one of these changes alone would constitute a significant architectural and operational challenge for network operators; considered together, they represent the greatest and potentially most disruptive set of circumstances in the history of the Internet, given its growth in importance to worldwide communications and commerce," says the report.
more
How can you use the latest open Internet standards to make web servers as secure and as fast as possible? How can you ensure your web site is available to everyone across the global network of networks? Please join me on Wednesday, February 26, 2020, from 13:00 – 14:00 UTC in our first InterCommunity 2020 event to learn about the Internet Society's new "Open Standards Everywhere" project. more
The ICANN Security and Stability Advisory Committee (SSAC) and the Internet Society Deploy360 Programme are planning a DNSSEC and Security Workshop during the ICANN67 meeting held from 07-12 March 2020 in Cancun, Mexico. The original DNSSEC Workshop has been a part of ICANN meetings for many years and has provided a forum for both experienced and new people to meet, present, and discuss current and future DNSSEC deployments. more
We are at an inflection point in our lifetimes. The Internet is broken, seriously broken... Almost all of the systems currently in use on the Internet are based on implicit trust. This has to change. The problem is that these systems are so embedded in our everyday lives that it would be, sort of like, changing gravity, very difficult. more
Private DNS data lakes consolidate fragmented logs into a centralised platform, improving visibility, security, and compliance. They enable advanced analytics, strengthen threat detection, and help organisations optimise network performance in increasingly complex IT environments. more
In August of last year I wrote in a blog about the importance of cryptech to wide-scale trust in the Internet. For those who don't know about it, http://cryptech.is is a project aiming to design and deploy an openly developed, trustable Hardware Security Module (HSM) which can act both as a keystore (holding your secrets and keeping them private) and as a signing engine. more
A World-Renowned Source for Internet Developments. Serving Since 2002.
