February 8, 2010

Topics


Search Site

Follow

  RSS CricketonDNS   RSS Infra20   Network Automation

Favorite Links


Tag Cloud


Archives

Quantifying DNSSEC Overhead, Part 2

February 01 2010 by Cricket Liu (Infoblox)

Last time, I compared the number and size of the response messages involved in resolving a record in an unsigned zone to those involved in resolving a record in a signed zone under a signed TLD.  This time, I want to look at the actual computation involved.

This isn't really a comparison, of course, because in the case of an unsigned zone, there's no heavy computing involved:  The name server simply reads responses from the network and unmarshals their content into discrete resource records--simple!  In the case of a signed zone under a signed TLD, there's lots of work to do.

Read more...

Posted in DNSSEC | 4 comments



Quantifying DNSSEC Overhead

January 14 2010 by Cricket Liu (Infoblox)

I realized last week that I'd never actually traced all the queries sent and responses received by a recursive name server resolving a domain name in a zone signed with DNSSEC.  I decided to trace the recursive resolution of an RRset in a signed top-level domain, since I wanted to see the "chain of trust" in action.  I knew .org was signed and figured isc.org (the Internet Systems Consortium's domain) would probably already have a DS (Delegation Signer) record.

Read more...

Posted in DNSSEC | BIND | 13 comments



My Predictions for DNS Developments in 2010

December 17 2009 by Cricket Liu (Infoblox)

'Tis the season for new year's predictions, and my blog will be no exception.  Some of these predictions are fairly safe bets, like the signing of the root zone and the introduction of internationalized top-level domains.  Others are more speculative.

Read more...

Posted in DNSSEC | DNS Security | Internationalized Domain Names | 0 comments



WALSYIB

December 16 2009 by Cricket Liu (Infoblox)

A system administrator I knew at HP Labs, Mike Rodriquez, named his personal workstation "walstib."  Mike explained that it was an acronym for "What A Long, Strange Trip It's Been," which, he said, was a kind of motto among Deadheads.  (I gather it's a line from one of the many indistinguishable Grateful Dead songs.  Sorry, Mike.)

So "WALSYIB" is my acronym for "What A Long, Strange Year It's Been."  (And yes, I realize that I used a similar title for a previous blog post.)  2009 was a productive year:  We made more progress in deploying DNSSEC in the last 12 months than in the previous 10 years.  But we saw more attacks on DNS infrastructure, including cache poisoning attacks in the wild.  And we saw the discovery (and subsequent patching) of more vulnerabilities in BIND.

Read more...

Posted in DNSSEC | DNS Survey | 0 comments



On Neustar's DNS Real-time Directory

December 14 2009 by Cricket Liu (Infoblox)

Last week, Neustar announced an interesting new feature to their zone hosting service, called the DNS Real-time Directory.  In an effort to address some of the shortcomings of DNS's loose coherence, Neustar is publishing changes to the zones they host on their constellation of authoritative name servers through Amazon's EC2 service.  Subscribers, including OpenDNS, are notified of those changes and can remove outdated resource records from their recursive name servers' caches in response.  This would help avoid the recent mess caused by the accidental appending of an extra ".SE" to domain names in Sweden's .SE zone:  While the problem was fixed on the authoritative name servers right away, the operational effects lingered for up to a day--the TTL on resource records in the .SE zone, and hence the maximum time recursive name servers would cache the bogus records.

 

Read more...

Posted in | 1 comments