Blogs

  • Benchmarking DNS Reliably on Multi-core Systems

    Introduction As part of an ongoing study into DNS server performance, we wanted to establish a baseline figure for the absolute maximum throughput that can be achieved using standard APIs.  To this end we have developed a tiny DNS server that does nothing except echo the received packet back to the client, albeit with the “QR” bit flipped to indicate

    Read more
    0
  • How Facebook is using Kea in the datacenter

      Angelo Failla, Production Engineer, Facebook Why did Facebook need a new DHCP solution? We use dhcp for provisioning servers in our production datacenters. We use it both for bare metal provisioning, (to install the operating system) and to assign addresses to the out of band management interfaces. Our old system was based on ISC dhcpd and static configuration files generated

    Read more
    0
  • CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating

    An attacker who can cause a validating resolver to query a zone containing specifically constructed contents can cause that resolver to fail an assertion and terminate due to a defect in validation code. The Knowledge Base article https://kb.isc.org/article/AA-01267 is the complete and official security advisory document. What is posted below is a snapshot of that document.   CVE: CVE-2015-4620 Document Version:  2.0 Posting

    Read more
    0
  • Partial EDNS compliance hampers deployment of new DNS features

    We at ISC want to encourage networking people around the Internet to focus attention for a few minutes on an obscure topic, EDNS compliance. EDNS is currently supported on better than 90% of all DNS servers ISC surveyed recently (research report). The percentage of DNS servers on the Internet that support EDNS drops significantly from 90% with some support, to 60 - 85% when you look at full compliance. As we add more applications that rely on EDNS, partial compliance can end up resulting in failures with increasingly significant impact. We cannot deploy DNS Cookies today without...

    Read more
    0
    0
  • Decommissioning the DLV

    The ISC DLV Registry has been available since 2006, and ISC has been happy to provide the service. However, due to the great progress that native DNSSEC has made, we have decided that it is time to wind down the project. If you have a zone already in DLV that could validate properly to the Root, we'd like you to remove it from DLV.

    Read more
    2
    1
  • Refinements to EDNS fallback behavior can cause different outcomes in Recursive Servers

    Recursive DNS Servers administrators have for many years been advised to ensure that both the servers that they are running and the network environments wherein those servers reside are RFC-compliant. This is to ensure the best possible outcome when handling client queries. While some older DNS implementations and/or mis-configured servers still fail to adhere to current standards, there are two

    Read more
    2
  • ISC Network Operations Report for 2014

    ISC’s Public Benefit network services are: F-Root; SNS-PB, a subsidized anycasted DNS infrastructure for non-profits; Hosted@, subsidized hosting for non-profit projects at our Redwood City location; a municipal network connecting a number of local cities and non-profits to the Internet, and dlv.isc.org, a DNSSEC Look-Aside Validation service.   Network Infrastructure We maintain approximately 2768 peering sessions across our infrastructure, more if you count

    Read more
    1
  • ISC Retrospective on 2014 Open Source work

    Most of our work at ISC falls into one of two major project categories: open source development and network services. We will review our 2014 accomplishments in network services in a separate post. In 2014 we did a solid job of maintaining our primary open source projects, BIND 9 and ISC DHCP.  We fixed more bugs in 2014 than were discovered or reported in 2014

    Read more
    1
    0
  • New code signing key for 2015-2017

    Beginning with the start of 2015, ISC is introducing a new PGP signing key which will be used to verify the authenticity of BIND and DHCP source downloaded from ISC.  This replaces the current key, which is expiring. The old key for codesign@isc.org, with key ID 45AC7857189CDBC5, was created in 2013 with an expiration date of 31 January, 2015, a date that is fast approaching. It

    Read more
    0
  • Important Security Advisory Posted

    We have today posted updated versions of 9.9.6 and 9.10.1 to address a significant security vulnerability in DNS resolution. The flaw was discovered by Florian Maury of ANSSI, and applies to any recursive resolver that does not support a limit on the number of recursions. , A flaw in delegation handling could be exploited to put named into

    Read more
    0
    0
  • ISC is now offering Advance Security Notification for Unbound and NSD

    ISC has signed a memo of understanding with NLnet Labs, makers of Unbound and NSD, to collaborate in providing support to users of our DNS software. NSD is a popular alternative to BIND for authoritative DNS services, and Unbound is a high-performance recursive resolver. As a first step in this collaboration, ISC is now selling advance security notification of vulnerabilities

    Read more
    0
    0
  • ICANN 51: Accountability for F-root operations

    ISC has operated F-Root, one of the world’s thirteen root name servers, since 1994. We have this service deployed around the world in 55 locations to offer fast, reliable access even in otherwise underserved parts of the world. We have well over a thousand peers. F-Root is supported with the help of multi-year donations in kind from many service providers and other

    Read more
    0
    0

Last modified: November 1, 2016 at 1:25 pm