Blogs

  • Decommissioning the DLV

    The ISC DLV Registry has been available since 2006, and ISC has been happy to provide the service. However, due to the great progress that native DNSSEC has made, we have decided that it is time to wind down the project. If you have a zone already in DLV that could validate properly to the Root, we'd like you to remove it from DLV.

    Read more
    2
    1
  • Refinements to EDNS fallback behavior can cause different outcomes in Recursive Servers

    Recursive DNS Servers administrators have for many years been advised to ensure that both the servers that they are running and the network environments wherein those servers reside are RFC-compliant. This is to ensure the best possible outcome when handling client queries. While some older DNS implementations and/or mis-configured servers still fail to adhere to current standards, there are two

    Read more
    2
  • ISC Network Operations Report for 2014

    ISC’s Public Benefit network services are: F-Root; SNS-PB, a subsidized anycasted DNS infrastructure for non-profits; Hosted@, subsidized hosting for non-profit projects at our Redwood City location; a municipal network connecting a number of local cities and non-profits to the Internet, and dlv.isc.org, a DNSSEC Look-Aside Validation service.   Network Infrastructure We maintain approximately 2768 peering sessions across our infrastructure, more if you count

    Read more
    1
  • ISC Retrospective on 2014 Open Source work

    Most of our work at ISC falls into one of two major project categories: open source development and network services. We will review our 2014 accomplishments in network services in a separate post. In 2014 we did a solid job of maintaining our primary open source projects, BIND 9 and ISC DHCP.  We fixed more bugs in 2014 than were discovered or reported in 2014

    Read more
    1
    0
  • New code signing key for 2015-2017

    Beginning with the start of 2015, ISC is introducing a new PGP signing key which will be used to verify the authenticity of BIND and DHCP source downloaded from ISC.  This replaces the current key, which is expiring. The old key for codesign@isc.org, with key ID 45AC7857189CDBC5, was created in 2013 with an expiration date of 31 January, 2015, a date that is fast approaching. It

    Read more
    0
  • Important Security Advisory Posted

    We have today posted updated versions of 9.9.6 and 9.10.1 to address a significant security vulnerability in DNS resolution. The flaw was discovered by Florian Maury of ANSSI, and applies to any recursive resolver that does not support a limit on the number of recursions. , A flaw in delegation handling could be exploited to put named into

    Read more
    0
    0
  • ISC is now offering Advance Security Notification for Unbound and NSD

    ISC has signed a memo of understanding with NLnet Labs, makers of Unbound and NSD, to collaborate in providing support to users of our DNS software. NSD is a popular alternative to BIND for authoritative DNS services, and Unbound is a high-performance recursive resolver. As a first step in this collaboration, ISC is now selling advance security notification of vulnerabilities

    Read more
    0
    0
  • ICANN 51: Accountability for F-root operations

    ISC has operated F-Root, one of the world’s thirteen root name servers, since 1994. We have this service deployed around the world in 55 locations to offer fast, reliable access even in otherwise underserved parts of the world. We have well over a thousand peers. F-Root is supported with the help of multi-year donations in kind from many service providers and other

    Read more
    0
    0
  • ISC’s DHCP client can be used as a delivery vector for bash bug

    Despite reports to the contrary saying that a 2011 change (CVE-2011-0997) to dhclient prevents exploitation of this flaw, ISC has confirmed that the DHCP client provided as a part of ISC DHCP can be used to exploit the bash vulnerability if the operator of a rogue DHCP server passes a specially constructed value as the payload of a DHCP option field.

    Read more
    0
    0
  • Certificate Authority Authorization Records

    Support for the CAA record was added to BIND with the 9.10.1B release, after Rick Andrews of Symantec approached us at an IETF meeting and asked why we didn’t have it already.  Rick is an expert and evangelist for the use of certificates, so we invited Rick to explain why people should use CAA records.   Certificate Authority Authorization (CAA, RFC 6844)

    Read more
    5
    0
  • Public Source Code Repository

    We have had many requests for a public repository to enable users or OS package maintainers to back-port specific fixes, or to cherry pick fixes for a platform release.   We used to provide access to a read-only git as a benefit of BIND- and DHCP-Membership. We ended the BIND and DHCP-Members programs in mid-2013, but we have kept the read-only

    Read more
    0
    0
  • Codenomicon Testing for BIND

    Our users value stability and security above anything else, when it comes to BIND.  Every time we have to issue a security advisory we are inconveniencing thousands of network administrators.  We also know they would rather be informed if there is some way to compromise or crash BIND.  So, when we read that Codenomicon discovered the Heartbleed bug in OpenSSL, we decided to

    Read more
    0
    0

Last modified: September 26, 2016 at 6:34 pm