In the last few weeks, we passed two more important milestones in the deployment of DNSSEC:  the signing of the root zone and the .edu zone.  The root zone was signed July 15^th, and the .edu zone was signed on August 2^nd.

Read more...

I’ve been eagerly awaiting the release of “Restrepo,” a documentary about American soldiers fighting in Afghanistan.  The reviews have been glowing, likening it to a real-life version of “The Hurt Locker,” which I thought was excellent.  (I began to say that I really enjoyed it, but it’s more accurate to say that I’m very glad I saw it.)  “Restrepo” was co-directed by Sebastian Junger, which got me thinking about “A Perfect Storm,” a similarly painful-to-watch movie (Junger wrote the book).

Which is the long way of explaining why I was thinking of perfect storms recently.  The “perfect storm” of the title is caused by a confluence of weather conditions, and I think we’re looking at similar conditions on the Internet, specifically in the world of DNS.

I’ve spoken and written before about the additional administrative burden imposed by DNSSEC, and the imperative for vendors like Infoblox to provide better tools for managing signing and validation.  I’ve talked less, though, about the inevitability of IPv6 and the proliferation of IP-speaking devices in our lives.

Read more...

Waaaay back when I ran hp.com, I had what I only now realize was an enviable position:  I was HP’s hostmaster (the somewhat-ceremonial title given to the person responsible for a zone) but not much else.  I dabbled in NTP and ran a big mail relay, but the bulk of my responsibility was DNS.  From when I got to work in the morning to when I left in the evening, I could concentrate on DNS.

At the time, I didn’t realize what a luxury that was.  I figured every big company probably had a person dedicated to DNS.  And in those days, some did. Partly, this was because we hostmasters could get away with it.  DNS was such a black art that you could simply assert that it took up most of your time and your management wouldn’t know any better.

How the times have changed.  I’ve had the opportunity to meet the folks responsible for DNS at many big companies, but I hesitate to call them “hostmasters”—not because they don’t deserve the customary title, but because it sells them short.  These people run routers, switches, firewalls, mail servers, and more.  Almost no one has the luxury of specializing in DNS any more.  The economic climate dictates that we all take on more responsibilities to make our employers more competitive.

Read more...

A few weeks ago, Mauricio Vergara Ereche, who in addition to having a very cool-sounding name works for Chile's NIC, noticed that queries to one of the root name servers were returning odd answers.  In particular, queries he sent to i.root-servers.net for domain names like www.facebook.com were being answered not with referrals to the com name servers, as you'd expect, but with an address record for www.facebook.com.  Unfortunately, that address record wasn't correct; it led nowhere.

Further probing determined that it was queries sent to the instance of i.root-servers.net in Beijing that were being answered bogusly.  And it wasn't i.root-servers.net that was behaving badly:  Kurt Erik Lindqvist, the CEO of Netnod, which helps coordinate i.root-servers.net's operation, as well as Xiaodong Lee, CTO of CNNIC, China's NIC, which hosts the Chinese i.root-servers.net, both denied having anything to do with the mischief.  Instead, the working theory is that China's government is intercepting the queries and forging the bogus responses, partly to keep ordinary Chinese citizens from Harmful Western Imperialist Influences like Facebook (and of course FarmVille).

Read more...

Read more...