ISC Starts Development Work on BIND 10

Today, Internet Systems Consortium (ISC) revealed plans for BIND 10, the next generation of DNS server software. Like its predecessors, BIND 10 will be open source but it will also be modular, highly scalable and provide simple methods for configuration management and integration with other systems.

BIND 10 will include easy-to-use DNSSEC capabilities. "The design goal for DNSSEC in BIND 10 is to be usable by the typical DNS administrator with built-in safeguards for key management and renewal."

NeuStar UltraDNS Downs Amazon, SalesForce, Petco

NeuStar confirmed that some of its UltraDNS managed DNS service customers were knocked offline for several hours Tuesday morning by a distributed denial of service attack.

NeuStar is a leading provider of high-availability DNS services to e-retailers including J.Jill and Diamond.com as well as high-tech companies such as Oracle and Juniper. Competitor Dynamic Network Services blogged about the UltraDNS outage earlier today, asserting that it affected Amazon.com, SalesForce.com, advertising.com and Petco.com.

NeuStar has been a leader in the push to deploy security extensions to the DNS infrastructure through an emerging standard dubbed DNSSEC. However, DNSSEC doesn’t address the problem of denial of service attacks. Instead, DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. Denial of service attacks, on the other hand, occur when a hacker disables a Web site by flooding it with bogus requests usually sent from a bot network.

Source: networkworld.com/news/2009/033109-ultradns-service-attacked.html?t51hb

What to Ask Vendors About DNSSEC?

The Basics:

Does it do DNSSEC according to the most recent RFC’s? (RFC 4033, 4034, and 4035)
Do your products have FIPS 140 certification?
Does it generate keys of the appropriate size? (2048 bit RSA/SHA-1)
Can the product be used to manage key material?
Can the product generate both NSEC and NSEC3 signed zones?
Can I sign/serve/manage multiple zones using this product?

The Not-So-Basics:

Does it integrate with ?
Does it work in your network infrastructure?
Does it work with MS Active Directory/Your DHCP server of Choice?
Can you use an HSM for key management with your product?
How do you update zone data using your product?
What about logging/Debugging tools?

Source: DNSSEC-Deployment.org

http://1105govinfoevents.com/GovSec/FreeEducation/GSL09_DN_06_Rose.pdf

FISMA Requires DNSSEC on Internal Networks

If you work for a federal agency, you are probably aware of the OMB mandate that requires you to deploy DNSSEC on your external DNS by December 2009. Think you are out of the DNSSEC woods at that point? Think again.

According to a presentation at the recent GovSec conference by Doug Montgomery, Manager Internet Technologies Research Group at NIST, agencies should also be planning how they are going to sign their internal DNS. Why? Because revision 3 of NIST SP 800-53 says they must.

This new revision of the NIST document prescribes DNSSEC deployment for all federal IT systems (low, medium and high impact), which, of course, includes internal DNS systems. Once the initial draft of this document is finalized, which is expected to happen in May 2009, agencies will have one year to comply.

During the same DNSSEC session at GovSec, Susan Lightman, of the Office of Management and Budget, also indicated that OMB would begin conducting spot checks of agency’s DNSSEC deployment progress beginning in May or June of this year.

Source: Notify: The Latest in DNS News - April 2009, Secure64, Retrieved on 04/02/09 from secure64.com/page.asp?id=209