DNS Security

DNS Security / Most Commented

Why DNS Blacklists Don’t Work for IPv6 Networks

All effective spam filters use DNS blacklists or blocklists, known as DNSBLs. They provide an efficient way to publish sets of IP addresses from which the publisher recommends that mail systems not accept mail. A well run DNSBL can be very effective; the Spamhaus lists typically catch upwards of 80% of incoming spam with a very low error rate. DNSBLs take advantage of the existing DNS infrastructure to do fast, efficient lookups. A DNS lookup typically goes through three computers... more

Dan Kaminsky Releases Phreebird for Easy DNSSEC

Today marks another key step in DNSSEC deployment. Congrats to Dan Kaminsky, chief scientist at Doxpara and one of our partners on the Practice Safe DNS campaign, on the release of his new code Phreebird. Announced today at Black Hat Abu Dhabi, Phreebird Suite 1.0 is a free, easy-to-use toolkit that lets organizations "test-drive" DNSSEC deployment. more

Study Finds Majority of U.S. Gov’t Agencies Fail to Meet Security Mandate for DNSSEC Adoption

Majority of U.S. Federal agencies using .gov domains have not signed their DNS with DNSSEC (Domain Name Security Extensions) despite a December 2009 Federal deadline for adoption, according to the latest report by IID (Internet Identity). IID analyzed the DNS of more than 2,900 .gov domains and has released the results in its "Q3 State of DNS Report". more

DNSSEC Taking Center Stage at 2010 Black Hat

On July 28th DNSSEC took center stage at the 2010 Black Hat Conference in Las Vegas. Two years ago, at the same conference, Dan Kaminsky unveiled the infamous DNS bug that many believe became a major catalyst for DNSSEC implementation. To kick things off, Jeff Moss -- founder of Black Hat -- in his opening speech called out the fact that "we have not solved any fundamental problems" and noted that the technical community must catch up. more

White House on the DNSSEC Deployment: “A Major Milestone on Internet Security”

Andrew McLaughlin reporting in the White House website: "Last week marked a significant advance in the security of the Internet. After years of intensive design, testing, and implementation work, the Internet's domain name system now has a new security upgrade that allows Internet service providers and end users alike to protect against an important online vulnerability: the clandestine redirecting of online communications to unwanted destinations." more

July 2010: The End of the Beginning for DNSSEC

July 15, 2010 (yesterday) marked the end of the beginning for DNSSEC, as the DNS root was cryptographically signed. For nearly two decades, security researchers, academics and Internet leaders have worked to develop and deploy Domain Name System Security Extensions (DNSSEC). DNSSEC was developed to improve the overall security of the DNS, a need which was dramatized by the discovery of the Kaminsky bug a few years ago. more

Three Reasons Why It Makes Sense to Deploy DNSSEC Now

As many of you may know, today .ORG announced that all of its 8.5 million domains are now able to be fully DNSSEC signed - the largest set of domain names in the world so far that has access to this key security upgrade. .. The widespread publicity that the Kaminsky bug got around the world vindicated a decision made in several companies to invest time, effort and money into deploying DNSSEC. The community was split on the value of the DNSSEC effort -- many thought the deployment was quixotic, while a few others thought it was appropriate. more

DNSSEC Becomes a Reality Today at ICANN Brussels

Attendees at the public ICANN meeting in Brussels today heard from over two dozen companies that have implemented or are planning to support DNSSEC, the next-generation standard protocol for secured domain names. It is clearer than ever before that DNSSEC is becoming a reality. more

Top Level Domains and a Signed Root

With DNSSEC for the root zone going into production in a couple of weeks, it is now possible for Top Level Domain (TLD) managers to submit their Delegation Signer (DS) information to IANA. But what does this really mean for a TLD? In this post we're going to try to sort that out. more

Today Marks a Giant Step Towards DNSSEC Deployment

The global deployment of Domain Name System Security Extensions (DNSSEC) is charging ahead. With ICANN 38 Brussels just around the corner, DNSSEC deployment will inevitably be the hot topic of discussion over the next few days. Case in point, today, ICANN hosted the first production key ceremony at a secure facility in Culpepper, Va. where the first cryptographic digital key was used to secure the Internet root zone. The ceremony's goal was simple: for the global Internet community to trust that the procedures involved with DNSSEC are executed correctly and that the private key materials are stored securely. more

Preventing DNS Strain When You Deploy DNSSEC

The barriers to DNSSEC adoption are quickly disappearing. There are nearly 20 top-level domains that have already deployed DNSSEC including generic TLDs like .org and .gov. This July, the DNS root will also be signed, and will begin validating. At this point, the decision for remaining TLDs to deploy DNSSEC is really no longer a question. more

First Root Zone DNSSEC KSK Ceremony

ICANN will hold the first Root Zone DNSSEC KSK Ceremony on Wednesday 2010-06-16 in Culpeper, VA, USA. ... Attendance within the key ceremony room itself will be limited to just those with an operational requirement to execute the ceremony. However, since this event has generated significant interest, we have made additional space available in an adjacent room for observers who wish to attend the event. more

The Extent of DNS Services Being Blocked in China

The most recent episode of The Ask Mr. DNS Podcast offers up some disturbing corroborating evidence as to the extent of DNS filtering and outright blocking occurring in China. VeriSign's Matt Larson and InfoBlox's Cricket Liu, who co-host the geeky yet engaging and extremely informative show, held a roundtable discussion including technical experts from dynamic name service providers (better known as "managed DNS" services) DynDNS, TZO, No-IP, and DotQuad, as well as Google and Comcast. more

More Stepping Stones Before This Summer’s Seminal DNSSEC Events

The deployment of Domain Security Extensions (DNSSEC) has crossed another milestone this month with the publication of DURZ (deliberately unvalidatable root zone) in all DNS root servers on 5 May 2010. While this change was virtually invisible to most Internet users, this event and the remaining testing that will occur over these next two months will dictate the ultimate success of DNSSEC deployment across the Internet. more

How to Place Top-Level Domain Trust Anchors in the Root

The project to sign the DNS root zone with DNSSEC took an additional step toward completion yesterday with the last of the "root server" hosts switching to serving signed DNSSEC data. Now every DNS query to a root server can return DNSSEC-signed data, albeit the "deliberately unvalidatable" data prior to the final launch. Another key piece for a working signed root is the acceptance of trust anchors in the form of DS records from top-level domain operators. These trust anchors are used to form the chain of trust from the root zone to the TLD. more