The hard work of deploying DNSSEC is well underway:  Registries are signing top-level zones, the Internet Systems Consortium and various vendors, including Infoblox, are simplifying the task of signing and managing a secure zone.  Even though widespread adoption of DNSSEC is some way off, it’s natural to wonder what’s next.

My bet is on IPv6.

Read more...

Whenever seismic activity picks up somewhere in the world, our local press here in California like to point out that we’re overdue for The Big One.  They cite how frequently, on average, large earthquakes occur on the various faults that we cross on our daily commutes and note that it’s been many times that long since those faults have experienced a major tremor.  Then they cut to footage of the aftermath of the Northridge or Loma Prieta earthquake or the movie “2012” and remind you to stock up on canned food, drinking water and ammunition.  Sensationalist, sure, but relatively tame when compared with most of the fear mongering they use to try to boost ratings.

I’m waiting for The Big One to strike the Internet.

Over the past several years, we’ve seen some large Distributed Denial of Service attacks against Internet infrastructure, including DNS.  In fact, as recently as August 6^th, the DNS hosting provider DNS Made Easy was hit with a DDoS attack that they estimated at “over 50 Gbps.”

Read more...

In the last few weeks, we passed two more important milestones in the deployment of DNSSEC:  the signing of the root zone and the .edu zone.  The root zone was signed July 15^th, and the .edu zone was signed on August 2^nd.

Read more...

I’ve been eagerly awaiting the release of “Restrepo,” a documentary about American soldiers fighting in Afghanistan.  The reviews have been glowing, likening it to a real-life version of “The Hurt Locker,” which I thought was excellent.  (I began to say that I really enjoyed it, but it’s more accurate to say that I’m very glad I saw it.)  “Restrepo” was co-directed by Sebastian Junger, which got me thinking about “A Perfect Storm,” a similarly painful-to-watch movie (Junger wrote the book).

Which is the long way of explaining why I was thinking of perfect storms recently.  The “perfect storm” of the title is caused by a confluence of weather conditions, and I think we’re looking at similar conditions on the Internet, specifically in the world of DNS.

I’ve spoken and written before about the additional administrative burden imposed by DNSSEC, and the imperative for vendors like Infoblox to provide better tools for managing signing and validation.  I’ve talked less, though, about the inevitability of IPv6 and the proliferation of IP-speaking devices in our lives.

Read more...

The Domain Name System was originally used as the Internet’s naming service—that much isn’t contentious.  Over the years, though, clever people have found all sorts of new applications for DNS.  DNS’s ubiquity, distributed management and (relatively) easy extensibility made it an obvious target for new uses, including blacklists of various types, storage of email authentication and authorization data, and more.  Much more.

One of these novel applications of DNS is its use to enhance client security.  David Ulevitch and his gang at OpenDNS are pioneers in this area:  Their service can restrict access to content by domain name, so that if one of your employees or students tries to visit http://www.hotmamas.com/, they’re directed to a page that says, in effect, tsk, tsk, no you don’t.  (Note to Infoblox IT:  I loaded that URL solely to make sure I wasn’t leading users somewhere unsavory—please don’t have me fired.)  Or if malware on your computer tries to surreptitiously resolve the domain name of its command-and-control channel to an IP address to ask SMERSH headquarters for orders, OpenDNS can prevent it and alert you or the administrator of your network that your computer has been infected.  Very handy.

Read more...