DNS |
Sponsored by |
|
Well more than a year ago, ICANN's Security and Stability Advisory Committee published SSAC 053, its paper on single-label domain names - now referred to in the community as "dotless" domains - advising against their use. In a robust comment period, the community weighed in on the utility and safety of dotless domains, with some in favor and some opposed. To address the matter, ICANN has commissioned further study of the issue with an eye toward resolving the issue for new gTLD applicants. more
Three vectors were exploited in the recent DDoS attack against Spamhaus: 1) Amplification of DNS queries through the use of DNSSEC signed data; 2) Spoofed source addresses due to lack of ingress filtering (BCP-38) on originating networks; 3) Utilisation of multiple open DNS resolvers While. 1) is unavoidable simply due to the additional data that DNSSEC produces, and 2) "should" be practised as part of any provider's network configuration, it is 3) that requires "you and I" ensure that systems are adequately configured. more
I first became familiar with DNSSEC around 2002 when it was a feature of the Bind9 server, which I was using to setup a new authoritative DNS platform for customers of the ISP I was working for. I looked at it briefly, decided it was too complex and not worth investigating. A couple of years later a domain of a customer got poisoned in another ISPs network. And while the DNS service we provided was working properly, the customers impression was we hadn't protected them. more
On January 18, 2012, Comcast customers found they could not access the NASA.gov website. Some users assumed that Comcast was deliberately blocking the website or that NASA, like Wikipedia and Reddit, was participating in the "blackout" protests against the Stop Online Piracy Act (SOPA) going on that day. As it turned out, the truth was much less exciting, but it offers important lessons about DNSSEC. more
The U.S. Congress' road to Stopping Online Piracy (SOPA) and PROTECT IP (PIPA) has had some twists and turns due to technical constraints imposed by the basic design of the Internet's Domain Name System (DNS). PIPA's (and SOPA's) provisions regarding advertising and payment networks appear to be well grounded in the law enforcement tradition called following the money, but other provisions having to do with regulating American Internet Service Providers (ISPs) so as to block DNS resolution for pirate or infringing web sites have been shown to be ineffectual, impractical, and sometimes unintelligible. more
The leaked release of the European Commission's working papers on the future of Top Level Domains highlights the impending collision between adherents of the present "multistakeholder" ICANN governance model, and an ever longer list of national governments who challenge that model. At the core of the controversy is the question of how ICANN can claim legitimacy in the DNS world when none of its Directors or Officers are elected. Even worse, its only answer, when challenged legally, is that it is responsive to its contract with an agency of the U.S. Government... more
The Domain Name System Security Extensions (DNSSEC) is a suite of IETF-developed specifications designed to validate information provided by the Domain Name System (DNS). ... When the root zone was signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then. The map in this post shows the level of DNSSEC deployment in Europe. more
I think we are finally getting somewhere: ICANN is no longer fluttering flusteredly whenever a lobbying group sends a nastygram over the transom. Case in point: a Association of National Advertisers (ANA) that arrived a few days ago, full of bombast and muscle-flexing, demanding that ICANN immediately stop the new gTLD program until a long list of demands from the ANA were met, or else the ANA would be forced to take some Very Scary Actions... more
There's been a fair amount of controversy of late about ICANN's decision to dramatically increase the number of top-level domains. With a bit of effort, though and with little disruption to the infrastructure -- we could abolish the issue entirely. Any string whatsoever could be used, and it would all Just Work. That is, it would Just Work in a narrow technical sense; it would hurt innovation and it would likely have serious economic failure modes. more
Over the last two days I have sat in a room and watched a rather interesting dynamic unfold between the ICANN Board and its Government Advisory Committee (GAC). While I remain optimistic of there being a responsible closure to the new gTLD implementation process within the next six months, an apparent double standard being used by the ICANN Board could be a potential stumbling block. more
History is a great teacher, we are told. So, on the cusp of an explosion in new top-level domains, what can we learn from the two previous expansions of the Internet's naming space? And what are the pitfalls to avoid? Let's just assume the fundamental and obvious lessons of realistic expectations, a solid business plan and prudent resource management, and instead focus on the little talked about but still critical lessons that will separate the winners and the losers in this race. But first - a caveat! more
Economists aren't very good at predicting things, as any one with money in the stock market can attest. The most powerful economist in the United States, the Chairman of the Federal Reserve, is on record predicting a continuing climb in housing prices -- just prior to their precipitous decline. And yet their crystal balls still hold some allure for those who need to present "evidence" about the future. Such is the case with ICANN and the new generic Top-Level Domain (gTLD) program. more
It's no secret that Comcast has been leading the charge of DNSSEC deployment among ISPs. For the past couple years, Comcast has been testing and pushing for the widespread adoption of DNSSEC. In the spirit of increasing adoption, I thought I would interview the DNS gurus at Comcast to see what they've learned and what advice they would give other ISPs considering DNSSEC deployment. more
My book, "The Current State of Domain Name Regulation: Domain Names as Second Class Citizens in a Mark-dominated World" is now available by Routledge. The following is an overview of the book. more
One would think with an annual budget in excess of 60 million dollars a year and a staff of upwards of 140 (including consultants), that someone would have figured out how to prevent the organization from repeatedly shooting itself in the foot. Unfortunately not even a year of star-fish management oversight by the likes of Rod Beckstrom seems to have done the trick. Exhibit One, earlier this week on CircleID we learned about the first Root Zone DNSSEC KSK Ceremony on Wednesday 2010-06-16 in Culpeper, VA, USA. Of course given the significance of this event one would reasonably assume that ICANN might mention this somewhere on the main page of their website? more
A World-Renowned Source for Internet Developments. Serving Since 2002.