Blogs

  • Using the root DNSSEC key in BIND 9 resolvers

    To use the signed root zone in DNSSEC validation in your BIND 9 resolvers, you must be running BIND 9.6.2 or higher. Earlier versions do not support the required algorithms to enable validation using the root zone’s key. It is strongly recommended you run BIND 9.7 to use the automatic key updating functionality. The recommended procedure to use differs for

    Read more
    0
    0
  • What’s happening with DLV?

    Now that the root zone has been officially signed, what happens with ISC’s DNSSEC Look-aside Validation Registry? The short answer is, it gets smaller, but does not go away, at least not today. While having the root signed is a critically important step in the DNSSEC deployment effort, it is not the final step. It’s the one that enables a

    Read more
    0
    0
  • Backwards compatibility issues in BIND 9.7.0 and 9.7.1

    ISC has announced that there were some backwards compatibility problems in the 9.7.1 release. Here is a bit more information on the topic. These problems were also in 9.7.0. The first issue was a problem in how those versions of BIND 9 processed certain formats of negative responses. In particular, BIND 9’s internal logic expected certain records to be present

    Read more
    0
    0
  • Towards a DNSCERT Definition

    To mix metaphors, my e-mail has been ringing off the hook after my previous article (“Perspectives on a DNS-CERT“) and I’ve had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I’ve had some discussions with ICANN and

    Read more
    0
    0
  • BIND 9.7.2 and automatic DNSSEC signing

    BIND 9.7.0 introduced automatic in-server signature re-freshing and automatic key rollover.  This allows BIND 9.7, if provided with the DNSSEC private key files, to sign records as they are added to the zone, or as the signatures need to be refreshed.  This refresh happens periodically to spread out the load on the server and to even out zone transfer load.

    Read more
    0
    0
  • Open source *more* secure?

    I seem to read all the time that open source projects must be less secure, since the bad guys can look through the source code to find vulnerabilities. I was pleased to see an article today that takes the point of view that security through obscurity is not the right direction and that open source projects can be more secure than competing

    Read more
    0
    0
  • Imminent Death of Internet Predicted. Film at 11.

    The press seems to love stories of doom and gloom. And for almost as long as the Internet has been around, there have been dire predictions of some resource exhaustion, success disaster or security flaw that will destroy the internet. And who is the villain in this week’s piece? DNSSEC and the signing of all the root servers. While I

    Read more
    1
    0
  • DNSSEC Readiness

    DNSSEC is coming. Is your organization ready? The DNS community is buzzing with activity around the implementation of the DNS Security Extension, DNSSEC. In simple terms, DNSSEC provides a “chain of trust” within the DNS hierarchy and the authentication of DNS responses. Once deployed across the DNS, DNSSEC will render the infamous man-in-the-middle attack a thing of the past. But

    Read more
    0
    0
  • DNS/BIND Canards, Redux

    In this interview we see yet another attempt by a technology executive to discredit all roads that do not lead to their products and services. Since in this case the creative pot shots are aimed at my company’s products and services, and since this is far from the first time these canards have been trotted out, I’ve decided to respond

    Read more
    0
    0
  • Why SQLite3?

    There have been some questions about why BIND 10’s first milestone release only supports SQLite3 for storing zone information. I hope I can answer some of the questions by explaining how and why we came to this decision. Part of the decision was a simple matter of time. We knew we would only have resources to implement a single data

    Read more
    0
    0
  • DNSSEC Transitions and the Signing of ARPA

    2010 is shaping up to be a banner year in at least two areas: major steps toward the deployment of DNSSEC, and discoveries of operational snags affecting the deployment of DNSSEC. An example of the former took place on March 25, when it was announced that the ARPA TLD had been signed. ARPA contains the sub-zones in-addr.arpa and ip6.arpa, which

    Read more
    0
    0
  • BIND 10 and Unit Testing

    The past few months, the BIND 10 developers have been using a test-driven development model. As classes and functions are coded, corresponding unit tests are also coded to help verify the routines do what is expected — with good or bad input providing correct results. Sometimes the unit tests are written before the new code or the tests are written

    Read more
    0
    0

Last modified: September 26, 2016 at 6:34 pm