Latest news of the domain name industry

Recent Posts

ICANN got hacked by crypto bots

Kevin Murphy, April 16, 2019, Domain Tech

ICANN had to take down its community wiki for several hours last week after it got hacked by crypto-currency miners.

The bad guys got in via one of two “critical” vulnerabilities in Confluence, the wiki software that ICANN licences from Atlassian Systems, which ICANN had not yet patched.

ICANN’s techies noticed the wiki, which is used by many of its policy-making bodies to coordinate their work, was running slowly April 11.

They quickly discovered that Atlassian had issued a vulnerability warning on March 20, but ICANN was not on its mailing list (doh!) so hadn’t been directly notified.

They also determined that a malicious “Crypto-Miner” — software that uses spare CPU cycles to attempt to create new cryptocurrency coins — had been installed and was responsible for the poor performance.

ICANN said it took the wiki down, restored it to a recent backup, patched Confluence, and brought the system back online. It seems to have taken a matter of hours from discovery to resolution.

The organization said it has now subscribed to Atlassian’s mailing list, so it will be notified of future vulnerabilities directly.

Root servers whacked after crypto change

Kevin Murphy, March 27, 2019, Domain Tech

The DNS root servers came under accidental attack from name servers across the internet following ICANN’s recent changes to their cryptographic master keys, according to Verisign.

The company, which runs the A and J root servers, said it saw requests for DNSSEC data at the root increase from 15 million a day in October to 1.15 billion a day a week ago.

The cause was the October 11 root Key Signing Key rollover, the first change ICANN had made to the “trust anchor” of DNSSEC since it came online at the root in 2010.

The KSK rollover saw ICANN change the cryptographic keys that rest at the very top of the DNSSEC hierarchy.

The move was controversial. ICANN delayed it for a year after learning about possible disruption at internet endpoints. Its Security and Stability Advisory Committee and even its own board were not unanimous that the roll should go ahead.

But the warnings were largely about the impact on internet users, rather than on the root servers themselves, and the impact was minimal.

Verisign is now saying that requests to its roots for DNSSEC key data increased from 15 million per day to 75 million per day, a five-fold increase, almost overnight.

It was not until January, when the old KSK was marked as “revoked”, did the seriously mahooosive traffic growth begin, however. Verisign’s distinguished engineer Duane Wessels wrote:

Everyone involved expected this to be a non-event. However, we instead saw an even bigger increase in DNSKEY queries coming from a population of root server clients. As of March 21, 2019, Verisign’s root name servers receive about 1.15 billion DNSKEY queries per day, which is 75 times higher than pre-rollover levels and nearly 7 percent of our total steady state query traffic.

Worryingly, the traffic only seemed to be increasing, until March 22, when the revoked key was removed from the root entirely.

Wessels wrote that while the root operators are still investigating, “it would seem that the presence of the revoked key in the zone triggered some unexpected behavior in a population of validating resolvers.”

The root operators hope to have answers in the coming weeks, he wrote.

The next KSK rollover is not expected for years, and the root traffic is now returning to normal levels, so there’s no urgency.

The internet is still working after KSK roll

Kevin Murphy, October 16, 2018, Domain Tech

The first-ever change to the security keys at the top of the DNS tree appears to have been a non-event.

While ICANN received reports of some disruptions after last Thursday’s KSK rollover, the impact appears to have fallen short of the millions of users that had been speculated.

ICANN said yesterday:

After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key.

The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success.

The KSK, also sometimes called the “trust anchor”, is the ultimate cryptographic key in the chain that secures all DNSSEC queries on the internet.

October 11 was the first time it had been changed since the first version came online in 2010.

While changing the key was broadly considered sound security practice, the roll was delayed by a year after it was discovered that potentially millions of endpoints were using DNS resolvers not properly configured to use the 2017 key.

After much research, outreach and gnashing of teeth, it was decided that the risk posed by rolling the KSK now fell within acceptable parameters of collateral damage.

Experts from the likes of Google and Verisign, and one ICANN director, had urged caution and said perhaps the roll should be delayed further while more data was gathered.

But they were in the minority, ICANN went ahead anyway, and it seems their fears have not come to pass.

The KSK is now likely to be rolled regularly — it could be as little as once every five years, or more frequently.

It also gives ICANN the opportunity to eventually update the system to swap out its current RSA keys for keys based on elliptical curve cryptography, which could reduce the traffic load on the DNS as a whole.

Google adds censorship workaround to Android devices

Kevin Murphy, October 5, 2018, Domain Tech

Google is using experimental DNS to help people in censorious regimes access blocked web sites.

Alphabet sister company Jigsaw this week released an Android app called Intra, which enables users to tunnel their DNS queries over HTTPS to compatible servers, avoiding common types of on-the-wire manipulation.

The company reportedly says it has been testing the app with Venezuelan dissidents recently.

The feature will also be built in to the next version of Android — known as Android 9 or Android Pie — where it will be called Private DNS.

The app is designed for people who for one reason or another are unable to update their device’s OS.

Intra and Private DNS use “DNS over HTTPS”, an emerging protocol Google and others have been working on for a while.

As it’s non-standard, end users will have to configure their devices or Intra apps to use a DoH-compatible DNS server. The public DNS services operated by Google (8.8.8.8) and Cloudflare (1.1.1.1) are both currently compatible.

The release comes even as Google faces controversy for allegedly kowtowing to the Chinese government’s demands for censored search and news results.

You may notice that the new app is being marketed via a .org web site, rather than Google’s own .app gTLD, but intra.app takes visitors directly to the Intra page on the Google Play store.

Emoji domains now easier to use

Kevin Murphy, September 25, 2018, Domain Tech

Emoji domains have become marginally easier to navigate to in the last month, following an update to Google’s Chrome browser.

Google has added “Emoji” to the context menu that appears when users right-click in any editable text field — including the address/search bar.

Clicking the option brings up a searchable list of common emojis that can be inserted into the address bar for either search or, with the addition of a typed-in TLD, navigation.

TLDs currently supporting emojis include .ws, .fm and .to. ICANN has ruled out support for emojis in the gTLDs for security reasons.

When the domain is resolved, the emojis render in the address bar as Punycode-converted Latin characters beginning with the usual “xn--” prefix, at least under my default configuration.

The whole process is still a bit fiddly, so I wouldn’t all rush out to build your businesses on emoji domains just yet.

The context menu feature appears to have been on the experimental track in Chrome for at least a month, but was more recently turned on by default, at least on all the Chrome 69 installs I’ve tested.

If you don’t get the emoji option in your context menu, you should be able to turn it on by navigating to chrome://flags/#enable-emoji-context-menu and selecting the Enabled option.