Latest news of the domain name industry

Recent Posts

Symantec gets into the DNS game with Dyn

Kevin Murphy, May 27, 2010, Domain Tech

Symantec has partnered with Dyn to offer a free DNS service to mobile Norton users.

As part of its new mobile strategy, expected to be announced later today, Symantec will provide free DNS resolution with a built-in filter that blocks potentially dangerous domains.

Dyn.com will provide the back-end, which will compete with the likes of OpenDNS and Google’s DNS service.

Non-technical users will be able to download a client application that configures their local DNS to work with the service, which drops one barrier to entry.

Symantec reportedly expects to earn revenue from advertising links – presumably by intercepting NXDOMAIN responses and providing sponsored error pages.

So the deal could be a bit of a money-spinner for Dyn; it’s certainly a further validation of its service.

But is it sexy? Hmm…

Four of the top 100 brands have insecure domain names

Kevin Murphy, May 26, 2010, Domain Tech

Some of the world’s most famous global brands have domain names that are still vulnerable to the Kaminsky exploit and could be hijacked by others.

Earlier today, I ran all of the brands on Deloitte’s list of the top 100 brands through a vulnerability testing tool provided by IANA.

The results show that four of these brands – all household names – have domains classed as “highly vulnerable” to the Kaminsky exploit.

If the IANA test is reliable, this means that false data could be injected into their name servers, potentially redirecting users to a web site belonging to the attacker.

Another eight brands had domains that the IANA tool reported might be “vulnerable” to attacks, but which had measures in place to mitigate the risk.

The Kaminsky bug has been public for almost two years. It’s a cache poisoning attack in which a recursive name server is tricked into providing false data about a domain.

It becomes particularly scary when a domain’s authoritative name servers also have their recursive functions turned on. A successful attack could redirect all traffic to a compromised domain to a server managed by the attacker.

The surest way to avoid vulnerability is to turn off recursion. IANA says: “Authoritative name servers should never be configured to provide recursive name service.”

Alternatively, a method known as source port randomization can make the risk of being compromised by the Kaminsky exploit so small it’s barely a threat at all.

The IANA tool reports that four of the top 100 brands have at least one “highly vulnerable” authoritative name server that has recursion enabled and no source port randomization.

The other eight “vulnerable” domains were identified as running on at least one authoritative server that had recursion turned on and source port randomization enabled.

I’m not an expert, but I don’t believe this second category of companies has a great deal to worry about in terms of Kaminsky.

I picked the Deloitte brand list for this experiment because it is the list of brands Deloitte believes require the most trademark protection under ICANN’s new TLD process.

.CO Internet is already using the list during its sunrise period for the .co domain.

Michele Neylon of Blacknight has found some more vulnerable servers over here.

Root DNSSEC push delayed two weeks

Kevin Murphy, May 18, 2010, Domain Tech

The final rollout of DNSSEC to the internet’s root servers, a major security upgrade for the domain name system, has been pushed back two weeks to July 15.

ICANN’s DNS director Joe Abley said in an update on root-dnssec.org and in email to the dns-ops mailing list:

The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems.

The Deliberately-Unvalidatable Root Zone is a way for the root operators to test how normal DNS resolution copes with fatter DNSSEC responses coming from the root, before worrying about issues concerning DNSSEC validation itself.

The DURZ has been cautiously rolled out over the last few months and has been operational across all 13 root servers since May 5.

The original plan called for the roots to become validatable following a key signing ceremony on July 1

The schedule change from ICANN also comes with a notice that the US government will be asking for public comment before the decision is made to properly sign the root.

Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue a public notice announcing the publication of the joint ICANN-VeriSign testing and evaluation report as well as the intent to proceed with the final stage of DNSSEC deployment. As part of this notice the DoC will include a public review and comment period prior to taking any action.

I may be just a little forgetful, but I can’t remember hearing about this Commerce involvement before.

Still, DNSSEC is a big change, so there’s nothing wrong with more of the softly-softly approach.

Crypto legend Diffie joins ICANN

Kevin Murphy, May 16, 2010, Domain Tech

Whitfield Diffie, one of the fathers of modern cryptography, has been hired by ICANN as its new vice president for information security and cryptography.

ICANN said Diffie, who was Sun Microsystems’ chief security officer until last November, will advise ICANN “in the design, development and implementation of security methods” for its networks.

Diffie, along with his colleague Martin Hellman, basically invented the first method of securely exchanging cryptographic keys over insecure networks, in the 1970s.

The coup comes at an appropriate time for ICANN, which intends to start signing the internet’s DNS root servers with DNSSEC security keys on July 1.

Diffie will no doubt be pushed front-and-center for the photo ops during the first signing ceremony.

Google Translate turns ccTLDs into .com

Kevin Murphy, May 12, 2010, Domain Tech

I’ve found Google Translate an invaluable tool for researching overseas news stories, but it’s a pain in the neck for reading about domain names in foreign languages.

The service seems to have developed the habit of turning all freestanding ccTLDs into “.com”.

For an example, head over to Norid and turn on Norwegian-to-English translation (or, if you don’t have the Google Toolbar, use Google Translate on the web).

Every instance of “.no”, Norway’s country-code domain, is translated into a .com, more specifically “. Com”.

Ditto for German. Translate this story about Denic’s troubles today to see all instances of “.de” translated into “. Com”.

However, the front page of Afnic sees .fr translated to “. Com”, leaving .re, for the Reuinion Islands, untouched.

I should point out that the service leaves domain names alone, so nic.fr is still nic.fr. But you’ve still got to wonder what Google’s designers were thinking.