Blogs

  • BIND 9: Easier GSS-TKEY configuration

    ISC has been working with Tridge from the Samba team to make it easier to configure BIND 9 to use GSS-TKEY. GSS-TKEY is used to allow Windows clients to securely update DNS zones using dynamic DNS, primarily in an Active Directory environment. These changes may be coming as early as BIND 9.8.0, which is scheduled to be released in late

    Read more
    0
    0
  • Join The Global Passive DNS (pDNS) Network Today & Gain Effective Tools To Fight Against Cyber Crime

    Why contribute passive DNS data to ISC? ISC – the Public Benefit Company that works to sustain the spirit of the Internet – is expanding the capacity of our Passive DNS System. Passive DNS provides the industry greater insight into how the cyber-criminals are using DNS to violate the Internet. Vetted organizations are invited to join the pDNS network by

    Read more
    2
    0
  • Changes to BIND 9 development helped catch bugs

    Yesterday I blogged about how ISC has been changing our internal development practices for BIND 9. Today, with the release of several security patches, I wanted to talk a bit on how they have helped us already. Test-driven Development In many projects, and previously in BIND 9, tests were written after the code was working. This left writing automated tests

    Read more
    0
    0
  • BIND 9 Development at ISC

    ISC has begun implementing several methodology changes relating to BIND 9 development. The goals of these changes is to increase our software quality and relevance to you, our customers. Some of these are more internal, but we hope the outcome of these changes are that the effects are positive and noticed by those outside of ISC. As with all changes,

    Read more
    0
    0
  • Standardizing the Severity of Security Vulnerabilities

    Larissa Shapiro, ISC Product Manager ISC has recently become aware of a security advisory, CVE-2010-3762 filed against BIND 9 on October 5th 2010. ISC did not request this CVE, nor was it contacted by the submitter prior to its submission. We believe the reported severity assessment of this CVE to be higher than is realistic. Specifically, because a recursive operator

    Read more
    0
    0
  • F-Root Routing: How does it work?

    ISC uses an unusual routing configuration for the F-Root name server. While the configuration is relatively easy to understand, it’s hard to deduce by looking at the routing tables. We’ll explain it here! The network 192.5.4.0/23 is used for F-Root. The reasons for using this block are historical and unimportant, but the fact that it is a /23 is very

    Read more
    3
    0
  • Taking Back the DNS

    Most new domain names are malicious. I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to

    Read more
    0
    0
  • Using the root DNSSEC key in BIND 9 resolvers

    To use the signed root zone in DNSSEC validation in your BIND 9 resolvers, you must be running BIND 9.6.2 or higher. Earlier versions do not support the required algorithms to enable validation using the root zone’s key. It is strongly recommended you run BIND 9.7 to use the automatic key updating functionality. The recommended procedure to use differs for

    Read more
    0
    0
  • What’s happening with DLV?

    Now that the root zone has been officially signed, what happens with ISC’s DNSSEC Look-aside Validation Registry? The short answer is, it gets smaller, but does not go away, at least not today. While having the root signed is a critically important step in the DNSSEC deployment effort, it is not the final step. It’s the one that enables a

    Read more
    0
    0
  • Backwards compatibility issues in BIND 9.7.0 and 9.7.1

    ISC has announced that there were some backwards compatibility problems in the 9.7.1 release. Here is a bit more information on the topic. These problems were also in 9.7.0. The first issue was a problem in how those versions of BIND 9 processed certain formats of negative responses. In particular, BIND 9’s internal logic expected certain records to be present

    Read more
    0
    0
  • Towards a DNSCERT Definition

    To mix metaphors, my e-mail has been ringing off the hook after my previous article (“Perspectives on a DNS-CERT“) and I’ve had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I’ve had some discussions with ICANN and

    Read more
    0
    0
  • BIND 9.7.2 and automatic DNSSEC signing

    BIND 9.7.0 introduced automatic in-server signature re-freshing and automatic key rollover.  This allows BIND 9.7, if provided with the DNSSEC private key files, to sign records as they are added to the zone, or as the signatures need to be refreshed.  This refresh happens periodically to spread out the load on the server and to even out zone transfer load.

    Read more
    0
    0

Last modified: November 1, 2016 at 1:25 pm