Blog entries for "dnssec"

DNSSEC Readiness

10 May 2010
Michael Graff

DNSSEC is coming. Is your organization ready?

The DNS community is buzzing with activity around the implementation of the DNS Security Extension, DNSSEC. In simple terms, DNSSEC provides a "chain of trust" within the DNS hierarchy and the authentication of DNS responses. Once deployed across the DNS, DNSSEC will render the infamous man-in-the-middle attack a thing of the past.

DNSSEC Transitions and the Signing of ARPA

15 Apr 2010
by Evan Hunt

2010 is shaping up to be a banner year in at least two areas: major steps toward the deployment of DNSSEC, and discoveries of operational snags affecting the deployment of DNSSEC.

An example of the former took place on March 25, when it was announced that the ARPA TLD had been signed. ARPA contains the sub-zones in-addr.arpa and ip6.arpa, which are used for reverse DNS: converting IP addresses to DNS names. It is an essential piece of the DNS infrastructure, and the signing of ARPA makes it possible for reverse lookups to be cryptographically authenticated via DNSSEC.

Unfortunately, an example of the latter took place a short time later.

An analysis on the DNSKEY query storm problem

02 Mar 2010
by Jinmei Tatuya

Summary:

We have developed a patch to BIND 9 DNSSEC validator to address a recently reported problem that the validator can cause a massive number of DNSSEC related queries at a high rate when it's configured with a stale trust anchor.  This patch suppresses such queries by caching the trust anchor mismatch and temporarily caching other DNSSEC related responses toward the secure entry point, and should reduce the number of unnecessary queries by 1-2 orders of magnitude.  However, the validator periodically (and unsuccessfully) tries to check the validity of the trust anch

Whither DNSCurve?

25 Feb 2010
by Paul Vixie

At the risk of having this blog begin to read like a FAQ, let me begin once again with the words, "folks have been asking me...".  So:

Surprise bugs and release schedules

10 Feb 2010
By Michael Graff

I know this won’t be a shock to anyone, but software has bugs.

Sometimes they are discovered and have little real impact — perhaps a few lines of code change and are easily tested. Ideally they occur early in a release cycle so they don’t really affect much. Most of the time these are minor and are easily put into a release at any point.

The Signed Root Is Coming! (And what this means for you)

30 Jan 2010
By Peter Losher

In the Fall of 2009, the organizations responsible for generating the root zone, ICANN, Verisign, and the US Department of Commerce, announced that they had come to a agreement on how to sign the root zone with DNSSEC (DNS Security Extensions) A website has been created by ICANN and Verisign to provide information about the change and a rollout timeline.