Latest news of the domain name industry

Recent Posts

I-Root yanks Beijing node

Kevin Murphy, March 31, 2010, Domain Tech

Autonomica, which runs i-root-servers.net, has stopped advertising its Anycast node in Beijing, after reports last week that its responses were being tampered with.

In the light of recent tensions between China and the US, people got a bit nervous after the Chilean ccTLD manager reported some “odd behaviour” to the dns-ops mailing list last week.

It seemed that DNS lookups for Facebook, Twitter and YouTube were being censored as they returned from I-Root’s node in China, which is hosted by CNNIC.

There was no suggestion that Autonomica was complicit in any censorship, and chief executive Karl Erik Lindqvist has now confirmed as much.

“Netnod/Autonomica is 100% committed to serving the root zone DNS data as published by the IANA. We have made a clear and public declaration of this, and we guarantee that the responses sent out by any i.root-servers.net instance consist of the appropriate data in the IANA root zone,” he wrote.

While Lindqvist is not explicit, the suggestion seems to be that somebody on the Chinese internet not associated with I-Root has been messing with DNS queries as they pass across the network.

This is believed to be common practice in China, whose citizens are subject to strict censorship, but any such activity outside its borders obviously represents a threat to the internet’s reliability.

The CNNIC node is offline until further notice.

NeuStar files for patent on DNSSEC hack

Kevin Murphy, March 25, 2010, Domain Tech

NeuStar has applied for a US patent on a stop-gap technology for authenticating DNS queries without the need for DNSSEC.

The application, published today, describes a system of securing the DNS connection between authoritative name servers and recursive servers belonging to ISPs.

It appears to cover the technology underlying Cache Defender, a service it started offering via its UltraDNS brand last July.

It was created to prevent the kind of man-in-the-middle attacks permitted by the 2008 Kaminsky exploit, which let attackers poison recursive caches, redirecting users to phoney web sites.

The DNSSEC standard calls for DNS traffic to be digitally signed and was designed to significantly mitigate this kind of attack, but it has yet to be widely deployed.

Some ccTLDs are already signed, but gTLD users will have to wait until at least this summer. The .org zone will be signed in June and ICANN will sign the root in July but .com will not be signed until next year.

While Kaminsky’s vulnerability has been broadly patched, brute-force attacks are still possible, according an ISP’s experience cited in the patent filing.

“The patch that experts previously believed would provide enough time to get DNSSEC deployed literally provided the industry just a few extra weeks,” it reads.

Secure64 offers DNSSEC for $20k

Kevin Murphy, March 17, 2010, Domain Tech

Secure64 Software has released a budget version of its DNS signing software, Secure64 DNS Signer.

The $19,995 package promises to automate DNSSEC key generation, management, and zone signing. It’s compatible with BIND, Windows and NSD.

While Secure64 is currently targeting smaller government agencies, due to the security mandates they have to abide by, I expect these types of products to pick up enterprise traction over the next few years.

Deploying DNSSEC is hard, but pretty soon it will be a must-have. With root signing currently set for July, and .com signing due in less than a year, Secure64 will probably do pretty well when enterprises start asking for more secure DNS.

Maybe we should go back to .ARPA?

Kevin Murphy, February 27, 2010, Domain Tech

Let’s start at the beginning, shall we?

I registered DomainIncite.com today. In less than an hour, I had a fully functioning web site and email account, and my domain was apparently resolvable pretty much everywhere.

That’s pretty impressive speed. Ten years ago, it could have taken 24 hours to achieve the same result.

Care to guess how long it would have taken 25 years ago?
(continue reading)