Blogs

  • BIND 9.7.2 and automatic DNSSEC signing

    BIND 9.7.0 introduced automatic in-server signature re-freshing and automatic key rollover.  This allows BIND 9.7, if provided with the DNSSEC private key files, to sign records as they are added to the zone, or as the signatures need to be refreshed.  This refresh happens periodically to spread out the load on the server and to even out zone transfer load.

    Read more
    0
    0
  • Open source *more* secure?

    I seem to read all the time that open source projects must be less secure, since the bad guys can look through the source code to find vulnerabilities. I was pleased to see an article today that takes the point of view that security through obscurity is not the right direction and that open source projects can be more secure than competing

    Read more
    0
    0
  • Imminent Death of Internet Predicted. Film at 11.

    The press seems to love stories of doom and gloom. And for almost as long as the Internet has been around, there have been dire predictions of some resource exhaustion, success disaster or security flaw that will destroy the internet. And who is the villain in this week’s piece? DNSSEC and the signing of all the root servers. While I

    Read more
    0
    0
  • DNSSEC Readiness

    DNSSEC is coming. Is your organization ready? The DNS community is buzzing with activity around the implementation of the DNS Security Extension, DNSSEC. In simple terms, DNSSEC provides a “chain of trust” within the DNS hierarchy and the authentication of DNS responses. Once deployed across the DNS, DNSSEC will render the infamous man-in-the-middle attack a thing of the past. But

    Read more
    0
    0
  • DNS/BIND Canards, Redux

    In this interview we see yet another attempt by a technology executive to discredit all roads that do not lead to their products and services. Since in this case the creative pot shots are aimed at my company’s products and services, and since this is far from the first time these canards have been trotted out, I’ve decided to respond

    Read more
    0
    0
  • Why SQLite3?

    There have been some questions about why BIND 10’s first milestone release only supports SQLite3 for storing zone information. I hope I can answer some of the questions by explaining how and why we came to this decision. Part of the decision was a simple matter of time. We knew we would only have resources to implement a single data

    Read more
    0
    0
  • DNSSEC Transitions and the Signing of ARPA

    2010 is shaping up to be a banner year in at least two areas: major steps toward the deployment of DNSSEC, and discoveries of operational snags affecting the deployment of DNSSEC. An example of the former took place on March 25, when it was announced that the ARPA TLD had been signed. ARPA contains the sub-zones in-addr.arpa and ip6.arpa, which

    Read more
    0
    0
  • BIND 10 and Unit Testing

    The past few months, the BIND 10 developers have been using a test-driven development model. As classes and functions are coded, corresponding unit tests are also coded to help verify the routines do what is expected — with good or bad input providing correct results. Sometimes the unit tests are written before the new code or the tests are written

    Read more
    0
    0
  • Surprise bugs and release schedules

    I know this won’t be a shock to anyone, but software has bugs. Sometimes they are discovered and have little real impact — perhaps a few lines of code change and are easily tested. Ideally they occur early in a release cycle so they don’t really affect much. Most of the time these are minor and are easily put into

    Read more
    0
    0
  • The Signed Root Is Coming! (And what this means for you)

    In the Fall of 2009, the organizations responsible for generating the root zone, ICANN, Verisign, and the US Department of Commerce, announced that they had come to a agreement on how to sign the root zone with DNSSEC (DNS Security Extensions) A website has been created by ICANN and Verisign to provide information about the change and a rollout timeline.

    Read more
    0
    0
  • Why is ISC a not-for-profit?

    I was asked recently, “why is ISC a not-for-profit?” Apparently we walk like a for-profit and we quack like a for-profit but we are in fact not for-profit. Most companies with a strong brand like ours have share holders. Why not ISC? Primarily because the infrastructure we’re responsible for — BIND, F-root, our network — has to be kept in

    Read more
    0
    0
  • ASN Collisions and Human Error

    There is nothing more sensational than the unexpected, and when the NANOG (North American Network Operators Group) community was recently informed that an ASN collision had occurred it caused a lot of people to sit up and take notice. This event was also very interesting in that researching takes us back to a time before ARIN and RIPE existed, creating

    Read more
    0
    0

Last modified: November 1, 2016 at 1:25 pm