Latest news of the domain name industry

Recent Posts

Root DNSSEC push delayed two weeks

Kevin Murphy, May 18, 2010, Domain Tech

The final rollout of DNSSEC to the internet’s root servers, a major security upgrade for the domain name system, has been pushed back two weeks to July 15.

ICANN’s DNS director Joe Abley said in an update on root-dnssec.org and in email to the dns-ops mailing list:

The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems.

The Deliberately-Unvalidatable Root Zone is a way for the root operators to test how normal DNS resolution copes with fatter DNSSEC responses coming from the root, before worrying about issues concerning DNSSEC validation itself.

The DURZ has been cautiously rolled out over the last few months and has been operational across all 13 root servers since May 5.

The original plan called for the roots to become validatable following a key signing ceremony on July 1

The schedule change from ICANN also comes with a notice that the US government will be asking for public comment before the decision is made to properly sign the root.

Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue a public notice announcing the publication of the joint ICANN-VeriSign testing and evaluation report as well as the intent to proceed with the final stage of DNSSEC deployment. As part of this notice the DoC will include a public review and comment period prior to taking any action.

I may be just a little forgetful, but I can’t remember hearing about this Commerce involvement before.

Still, DNSSEC is a big change, so there’s nothing wrong with more of the softly-softly approach.

Crypto legend Diffie joins ICANN

Kevin Murphy, May 16, 2010, Domain Tech

Whitfield Diffie, one of the fathers of modern cryptography, has been hired by ICANN as its new vice president for information security and cryptography.

ICANN said Diffie, who was Sun Microsystems’ chief security officer until last November, will advise ICANN “in the design, development and implementation of security methods” for its networks.

Diffie, along with his colleague Martin Hellman, basically invented the first method of securely exchanging cryptographic keys over insecure networks, in the 1970s.

The coup comes at an appropriate time for ICANN, which intends to start signing the internet’s DNS root servers with DNSSEC security keys on July 1.

Diffie will no doubt be pushed front-and-center for the photo ops during the first signing ceremony.

NeuStar files for patent on DNSSEC hack

Kevin Murphy, March 25, 2010, Domain Tech

NeuStar has applied for a US patent on a stop-gap technology for authenticating DNS queries without the need for DNSSEC.

The application, published today, describes a system of securing the DNS connection between authoritative name servers and recursive servers belonging to ISPs.

It appears to cover the technology underlying Cache Defender, a service it started offering via its UltraDNS brand last July.

It was created to prevent the kind of man-in-the-middle attacks permitted by the 2008 Kaminsky exploit, which let attackers poison recursive caches, redirecting users to phoney web sites.

The DNSSEC standard calls for DNS traffic to be digitally signed and was designed to significantly mitigate this kind of attack, but it has yet to be widely deployed.

Some ccTLDs are already signed, but gTLD users will have to wait until at least this summer. The .org zone will be signed in June and ICANN will sign the root in July but .com will not be signed until next year.

While Kaminsky’s vulnerability has been broadly patched, brute-force attacks are still possible, according an ISP’s experience cited in the patent filing.

“The patch that experts previously believed would provide enough time to get DNSSEC deployed literally provided the industry just a few extra weeks,” it reads.

Secure64 offers DNSSEC for $20k

Kevin Murphy, March 17, 2010, Domain Tech

Secure64 Software has released a budget version of its DNS signing software, Secure64 DNS Signer.

The $19,995 package promises to automate DNSSEC key generation, management, and zone signing. It’s compatible with BIND, Windows and NSD.

While Secure64 is currently targeting smaller government agencies, due to the security mandates they have to abide by, I expect these types of products to pick up enterprise traction over the next few years.

Deploying DNSSEC is hard, but pretty soon it will be a must-have. With root signing currently set for July, and .com signing due in less than a year, Secure64 will probably do pretty well when enterprises start asking for more secure DNS.