Search DNSSEC Blog


Tuesday, December 16, 2008

The Report on "Securing Cyberspace for the 44th Presidency"

A report "Securing Cyberspace for the 44th Presidency” has just been released.

The CSIS Commission on Cybersecurity for the 44th Presidency has released its final report, "Securing Cyberspace for the 44th Presidency." The Commission’s three major findings are:

1. Cybersecurity is now one of the major national security problems facing the United States;
2. Decisions and actions must respect American values related to privacy and civil liberties; and
3. Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.

Source: Securing Cyberspace for the 44th Presidency, Retrieved on 12/17/2008 from

"The discussion of using Federal market powers to "remedy the lack of demand for secure protocols" is too terse, perhaps by intent. As I read that section (p. 58), it is calling for BGP and DNS security. These are indeed important, and were called out by name in the 2002 National Strategy to Secure Cyberspace. However, I fear that simply saying that the Federal government should only buy Internet services from ISPs that support these will do too little. DNSSEC to protect .gov and .mil does not require ISP involvement; in fact, the process is already underway within the government itself."


Steven Bellovin, The Report on "Securing Cyberspace for the 44th Presidency", Retreived from on Dec 15, 2008

Identify and Mitigate Windows DNS Threats

Two weeks ago we took a look at what you need to do to prepare for a Windows DNS deployment, and how to blend Unix-based DNS with your Active Directory (AD) structure. This week we're back to consider several threats you need to be aware of, and steps you need to take to protect your Windows-based DNS servers and network.

Footprinting, for instance, is a case where an attacker obtains information about your DNS zones and your network via zone transfer.

Zone transfers are preventable at the firewall and routers on the perimeter of your network. DNS client queries are transmitted on UDP port 53, and TCP port 53 is used for zone transfers. Zone transfers outside of the protected network (outside your firewall) via TCP port 53 should be avoided.

Continue reading...

Wednesday, December 10, 2008

DNSSEC News: VeriSign, NeuStar and others team on DNS security

Momentum continues to build for rapid deployment of DNS encryption mechanisms.

Seven leading domain name vendors -- representing more than 112 million domain names or 65% of all registered domain names -- have formed an industry coalition to work together to adopt DNS Security Extensions, known as DNSSEC. Members of the DNSSEC Industry Coalition include: VeriSign, which operates the .com and .net registries; NeuStar, which operates the .biz and .us registries; .info operator Afilias Limited; .edu operator EDUCAUSE; and The Public Interest Registry, which operates the .org registry.

DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

The coalition is "a really good and public statement by all of the members that we believe that DNSSEC is vital to securing the stability and trust of the Internet, and we will do everything we can as members to get the technology in place and get our zones signed," says Rodney Joffe, senior vice president and senior technologist for NeuStar.
DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered this summer. It's because of threats such as these that the U.S. government is rolling out DNSSEC across its .gov and .mil domains.

Source: VeriSign, NeuStar and others team on DNS security, Carolyn Duffy Marsan, Network World , 12/09/2008, Retreived from on 12/10/2008

Saturday, December 6, 2008

DNSSEC Gets Its Own Coalition

"The new coalition will aim to identify and overcome the challenges and make DNSSEC deployment a global reality. One of the key players in the new DNSSEC coalition is VeriSign, the vendor that controls the Internet's root domain servers for the .com and .net domains.

"We firmly believe that DNSSEC is a technology that requires implementation and it solves a specific problem that nothing else solves," Pat Kane, vice president of naming services at VeriSign told

The specific problem in Kane's view is man in the middle cache poisoning attacks like the one discovered by Kaminsky. The basic idea behind the attack is that DNS server responses can be tampered with to redirect end users to different sites, so a user could type in "" and be taken to a phishing site instead. With encryption signed DNS information from DNSSEC, a domain name would be validated to ensure authenticity.

For the ISC's Vixie the real barriers to adoption for DNSSEC involve a number of items. For one he stresses the need to get the root zone signed including .com for DNSSEC to function as it was intended. Getting the tools together to improve the usability of DNSSEC's tools and implementation is also key. That involves DNS servers like BIND as well as many other Internet ecosystem vendors.

"We need Apple, Red Hat, Microsoft, Ubuntu and all major wireless and wireline ISP's to support DNSSEC validation in their recursive name servers and clients," Vixie said. "And we need the DNS registrars and registries to fully support DNSSEC for all their domain holders, meaning that if a domain holder signs their zones they ought to be able to upload their public keys someplace."

Full article: DNSSEC Gets Its Own Coalition, Sean Michael Kerner, retrieved from on December 5, 2008