
February 27 2010 by

Cricket Liu (Infoblox)
With the recent announcement that OpenDNS will support DNSCurve, I've
begun hearing more questions about it. In particular, people wonder
whether DNSCurve is a viable alternative to DNSSEC. They've generally
heard that DNSCurve is simpler to set up than DNSSEC and involves less
overhead.
Unfortunately, DNSCurve isn't an alternative to DNSSEC - although it
could conceivably complement DNSSEC, in ways I'll discuss.
Read more...
Posted in DNSSEC | DNS Security |
9 comments

February 11 2010 by

Cricket Liu (Infoblox)
I feel like at least half of my postings to this blog have been about
DNSSEC (and for those of you uninterested in DNSSEC, I'm sorry). But
one DNSSEC-related topic I haven't brought up is the "last mile."
In DNSSEC, the "last mile" refers to communications between the stub
resolver and the recursive name server. The stub resolver is the piece
of the Domain Name System that resides on nearly every computer and
translates an application's request for data (say the address of
www.infoblox.com) into a DNS query, and then sends that query to one or
more name servers. The recursive name server receives a resolver's
query, examines its cache for the answer, and if it doesn't find the
answer there, may need to send one or more queries to remote name
servers.
Read more...
Posted in DNSSEC | DNS Security |
1 comments

December 17 2009 by

Cricket Liu (Infoblox)
'Tis the season for new year's predictions, and my blog will be no exception.
Some of these predictions are fairly safe bets, like the signing of the
root zone and the introduction of internationalized top-level domains.
Others are more speculative.
Read more...
Posted in DNSSEC | DNS Security | Internationalized Domain Names |
0 comments

November 25 2009 by

Cricket Liu (Infoblox)
Just yesterday, ISC announced the release of several versions of BIND to address a new vulnerability. The vulnerability could allow unsigned data to be cached on a recursive name server configured to perform DNSSEC validation.
While that's alarming, it's not a systemic problem with DNSSEC; it's
simply a flaw in BIND's implementation of DNSSEC. (How could it be
anything else if it was addressed by releasing new versions?)
Implementations of the latest incarnation of DNSSEC are still
relatively new, so it should come as no surprise that we're still
finding flaws. (I'm proud to say that this particular defect was found
by Michael Sinatra, who works for my alma mater, Berkeley.)
Read more...
Posted in DNSSEC | DNS Security | BIND |
0 comments

November 19 2009 by

Cricket Liu (Infoblox)
Most of the results of our recent DNS Survey were pretty scary,
especially the news that nearly 80% of the name servers we found in our
sweep of 5% of the Internet's address space were open to recursion.
But the results contained some good news, too, and for that we should
be thankful.
Read more...
Posted in DNSSEC | DNS Security | DNS Survey |
0 comments