ISC Blogs

Technology Leadership for the Common Good

15 Jan 2011
vixie

“I am relieved.”  That lovely double entendre is what Captain Pike said to Captain Kirk at the end of last summer's most excellent reboot of the Star Trek series. I am likewise relieved to have been relieved of my long time post as President of ISC by my good friend and long associate Barry Greene. I continue at ISC as Chairman and Chief Scientist, which is the equivalent (to me) of escaping to the candy factory. When ISC was smaller, this was the half of my job I loved most.

Implementing IPv6 is no longer optional

04 Jan 2011
Sue Graves

The exhaustion of IPv4 space from IANA is coming as soon as February (yes, next month!) and the reserve held by the RIRs will be running dry shortly thereafter. The ability to provide (and use) IPv6 infrastructure is no longer optional; it is a requirement.

BIND 9: Easier GSS-TKEY configuration

03 Dec 2010
Michael Graff

ISC has been working with Tridge from the Samba team to make it easier to configure BIND 9 to use GSS-TKEY. GSS-TKEY is used to allow Windows clients to securely update DNS zones using dynamic DNS, primarily in an Active Directory environment.

These changes may be coming as early as BIND 9.8.0, which is scheduled to be released in late January, 2011. They were proposed and written by the Samba team in order to more easily integrate BIND 9 with Samba 4.

Join The Global Passive DNS (pDNS) Network Today & Gain Effective Tools To Fight Against Cyber Crime

03 Dec 2010
Robert Edmonds, Eric Ziegast, Barry Greene

Why contribute passive DNS data to ISC?

 
ISC - the Public Benefit Company that works to sustain the spirit of the Internet - is expanding the capacity of our Passive DNS System. Passive DNS provides the industry greater insight into how the cyber-criminals are using DNS to violate the Internet. 

Changes to BIND 9 development helped catch bugs

01 Dec 2010
Michael Graff

Yesterday I blogged about how ISC has been changing our internal development practices for BIND 9. Today, with the release of several security patches, I wanted to talk a bit on how they have helped us already.

Test-driven Development

In many projects, and previously in BIND 9, tests were written after the code was working. This left writing automated tests as an afterthought at best, and meant our tests were not as robust. One common problem was that the test didn’t actually test what we thought it did.

BIND 9 Development at ISC

30 Nov 2010
Michael Graff

ISC has begun implementing several methodology changes relating to BIND 9 development. The goals of these changes is to increase our software quality and relevance to you, our customers. Some of these are more internal, but we hope the outcome of these changes are that the effects are positive and noticed by those outside of ISC.

As with all changes, we’ll get some of it right and some we’ll have to revisit and modify as we learn. We welcome any feedback about where we are now, where you would like us to be, and as we progress along our path.

Standardizing the Severity of Security Vulnerabilities

18 Oct 2010
Larissa Shapiro, ISC Product Manager

ISC has recently become aware of a security advisory, CVE-2010-3762 filed against BIND 9 on October 5th 2010. ISC did not request this CVE, nor was it contacted by the submitter prior to its submission.

We believe the reported severity assessment of this CVE to be higher than is realistic. Specifically, because a recursive operator needs to have configured a specific zone to be trusted via adding a trust-anchor statement for it, we believe the impact of this vulnerability to be low.

F-Root Routing: How does it work?

24 Aug 2010
Leo Bicknell

ISC uses an unusual routing configuration for the F-Root name server. While the configuration is relatively easy to understand, it's hard to deduce by looking at the routing tables. We'll explain it here!

The network 192.5.4.0/23 is used for F-Root. The reasons for using this block are historical and unimportant, but the fact that it is a /23 is very important. Looking in the global routing table, you'll find 192.5.4.0/23 routed worldwide; ISC has obtained multiple transit providers for this network to provide excellent access to F-Root.

Taking Back the DNS

29 Jul 2010
vixie

Most new domain names are malicious.

I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.

Using the root DNSSEC key in BIND 9 resolvers

16 Jul 2010
Michael Graff

To use the signed root zone in DNSSEC validation in your BIND 9 resolvers, you must be running BIND 9.6.2 or higher. Earlier versions do not support the required algorithms to enable validation using the root zone's key. It is strongly recommended you run BIND 9.7 to use the automatic key updating functionality.

blog topics

monthly archive

Share this