Search DNSSEC Blog


Thursday, December 8, 2011

Introducing DNSCrypt (Preview Release),by OpenDNS

"DNSCrypt and DNSSEC are complementary.  DNSSEC does a number of things.  First, it provides authentication. (Is the DNS record I'm getting a response for coming from the owner of the domain name I'm asking about or has it been tampered with?)  Second, DNSSEC provides a chain of trust to help establish confidence that the answers you're getting are verifiable.  But unfortunately, DNSSEC doesn't actually provide encryption for DNS records, even those signed by DNSSEC.  Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.  
That said, DNSSEC and DNSCrypt can work perfectly together.  They aren't conflicting in any way.  Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records.  There are benefits to DNSSEC that DNSCrypt isn't trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS."

Wednesday, November 30, 2011

DNSSEC Update from ICANN 42 in Dakar

"Perhaps the most encouraging update came from CZ.NIC, the manager of Czech country-code top-level domain .cz, which has been aggressively promoting DNSSEC since 2009. According to CZ.NIC's Ondrej Filip, 17% of domains in the .cz zone are now signed. That's 145,000 domains, making .cz probably the most DNSSEC-saturated zone in both relative and absolute numbers."

circleid (full article)

Thursday, November 24, 2011

The Economist: Accessories after the fact

That risks damaging the internet’s vital internal addressing system, which lets people use words instead of numbers to access websites. It also clashes with DNSSEC (don’t ask), a protocol that America has long championed to increase internet security. Messing with DNSSEC could create loopholes for hackers by allowing rogue websites to pose as legitimate ones. Savvy users (who do the most downloading) will be able to bypass these filters anyway. And the bill’s vague wording leaves open the possibility that American ISPs might have to institute more intrusive forms of filtering, with the costs, performance problems and privacy issues that would inevitably entail.

Sunday, October 23, 2011

P2P DNS – Taking ownership of the internet

"DNS is one of those core technologies on which the internet runs. For most end users, DNS is pretty much invisible until they want to register their first domain for their own websites. At that point, the concept of a domain registrar suddenly pops into view."

Read the entire article here.

Tuesday, September 13, 2011

Finland to launch improved Fi-domain name service

"Finland's telecom regulator Ficora announced that an upgraded fi-domain name service will be launched soon. As a result of the launch process, applying for new fi-domain names or making changes to existing ones will not be possible from 17 September at 8:00hrs until 19 September at 10:00hrs.

The improved fi-domain name service offers users a more user-friendly way of applying for fi-domain names as well as for renewing, terminating and paying for them. At the same time, the system takes into consideration the modern requirements for electronic services better than before. The renewed service introduces the so-called DNSSec support to improve the information security of fi-domain names. The service also contains full IPv6 support, which is critical since it is believed that IPv6 connections will grow strongly in the future as available IPv4 addresses can no longer be assigned.

The improvements in the service contain added information on domain names for different user groups, such as companies, organisations and private persons. The service provides answers to such questions as who is entitled to apply for a domain name, to whom are fi-domain names granted, what can be registered as a domain name, what are domain names used for and the ways in which one can apply for a domain name.

The service has a specific section for service providers who can be authorised to apply for a domain name and assists domain name applicants in matters concerning the name server, server status and e-mail servers."

Source: Retrieved on Tuesday 13 September 2011 from

Thursday, August 25, 2011

PROTECT IP threatens the future of DNS security

"PROTECT IP is the name of a bill which is working its way through the US Senate with a version also expected to be introduced in the House of Representatives next month. It would require the Attorney General's office to compile of list of domain names which DNS operators (in the US) will be required to block. According to some critics, it threatens to undo more than a decade of Internet security development in a single stroke."- AfterDawn


Monday, July 25, 2011

Nominet Launches Free Trial Of Secure DNS

Nominet will give .uk domain owners a DNSSEC service to prevent hackers spreading counterfeit addresses

Nominet, gatekeepers to the .uk kingdom, is attempting to make its part of the Internet safer by promoting a secure version of the Internet’s directory – the domain name system (DNS).

Nominet is offering a free trial of the DNSSEC (DNS Security Extension), a secure version of the DNS protocol, designed to prevent hackers from “poisoning” the Internet’s directory system with false entries that can trap the unwary.


Tuesday, July 5, 2011

Wednesday, June 15, 2011

ICANN Leaders to Discuss Generic Top-Level Domains

"(The Hosting News) – Rod Beckstrom, ICANN’s President and Chief Executive Officer will join Board Chair Peter Dengate Thrush and Senior Vice President Kurt Pritz at news conference immediately following an historic special meeting of the ICANN Board of Directors to decide the future of new generic top-level domains (gTLDs).

The potential expansion of new gTLDs could mark one of the biggest changes ever to the Internet’s Domain Name System."


Monday, June 6, 2011

Getting started with a DNSSEC implementation

"Can you clarify what fixes are being implemented to the DNS system (via DNSSEC) to make it more secure? Do enterprises need to take any action in turn or will these DNS security improvements be transparent?

Attackers sometimes attempt to manipulate DNS records through cache-poisoning attacks that insert malicious false DNS records into a server. Attackers hope these records will be distributed to client machines, which will then unknowingly guide users to malicious webpages.

Until recently, there was little that could be done on the client side to defend against this type of attack.  But the release of the DNS Security Extensions (DNSSEC) changes that, allowing for the application of digital signature technology to DNS records, and providing the end user with assurance that the record is authentic.
The idea to secure DNS has been around for over a decade, but it took time to work out the details, and adoption has been quite slow.  Over the past year, the idea picked up some steam, especially after the publicity surrounding the DNS vulnerabilities that Dan Kaminsky announced at 2010 Black Hat Briefings conference.  Major network and hosting providers such as Comcast and GoDaddy have joined the federal government in deploying DNSSEC.

If you want to get started with a DNSSEC implementation"

Source: Getting started with a DNSSEC implementation, By Mike Chapple, Contributor,, Retrieved on June 6, 2011 from


Friday, May 27, 2011

DNSSEC signature can crash Bind name servers

"Where a Bind name server is set up as a caching resolver, it is vulnerable to DoS attacks which could cause it to crash. ISC describes the issue in its advisory Large RRSIG RRsets and Negative Caching can crash named and categorises the problem, which can be triggered remotely, as 'high' severity.

The DNSSEC extension plays a key role in the latest security problem to hit the widely used name server. It appears that the internal memory manager can become confused when it has to cache signed entries for non-existent domains. ISC's Larissa Shapiro has confirmed to The H's associates at heise Security that servers which do not themselves offer DNSSEC functionality are also vulnerable.

According to ISC, to exploit the bug an attacker must be running a DNSSEC-signed authority server for a domain. He would then be able to induce DNS lookups for non-existent names on that domain (for example by sending out spam), which would trigger the bug on the vulnerable name server. Versions 9.4-ESV-R3, 9.6-ESV-R2, 9.6.3, 9.7.1, 9.8.0 and earlier are all affected. ISC has released updates which should fix the problem."

Source: Retrieved on May 27, 2011 from


Monday, May 9, 2011

BIND Update Patches Security Flaw

The Internet Systems Consortium (ISC) recently released Update 9.8.0-P1 for its BIND DNS server, which closes a potential denial of service vulnerability.
"Signed server replies (RRSIG) can cause a BIND server to crash under certain circumstances," The H Security reports. "ISC says that the vulnerability only occurs, however, if the vulnerable server supports response policy zones (RPZs)."
"ISC says the DoS has not yet been used for actual attacks, but the firm is keeping an eye on a number of DNSSEC validators that have sent answers to the BIND server which unintentionally caused crashes," the article states.
Go to "Update for BIND server patches DoS hole" to read the details.

Source:, Retrieved on May 9th, 2011


Monday, April 25, 2011

New Insights into DNSSEC Adoption

DNSSEC survey conducted by IID, in coordination with Online Trust Alliance. Click here for details.


Friday, March 4, 2011

.CO Registry Deploys DNSSEC

"Joins a select group of Registry operators leading the charge in the implementation of a suite of new security features that will help create a more secure internet.

.CO Internet S.A.S., the Registry operator for the .CO domain, yesterday announced that it has completed deployment of Domain Name System Security Extensions (DNSSEC) into the Internet root zone. The company claims that in doing so, it joins a select group of Registry operators leading the charge in the implementation of a suite of new security features that will help create a more secure internet.

It avers that DNSSEC is a set of specifications for securing certain kinds of information provided by the Domain Name System (DNS) that is designed to protect the Internet from specific types of attacks, such as DNS cache poisoning, which can lead to cyber-crimes such as identity theft. With full end-to-end deployment, it will eventually allow internet users to know with certainty that they have been directed to the precise website they intended to reach.

The company says that the smooth implementation of DNSSEC follows several months of careful planning and a successful test phase in January 2011. A strong partnership with Neustar, Inc., the .CO Registry's technology services partner, was a critical success factor.

"We're proud to be announcing the successful implementation of DNSSEC today," said Nicolai Bezsonoff, COO of .CO Internet. ".CO is one of the fastest growing domain extensions in the world, and registrants and end users can rest assured that we are committed to providing the highest level of internet security - both now and into the future."

"By implementing DNSSEC so soon after the launch of .CO as a global domain, the .CO Registry has reaffirmed its commitment to ensuring the security and integrity of the .CO name space," said Tim Switzer, Vice President of Domain Name Registry Services at Neustar. "We look forward to continuing to support the .CO Registry as it plays an increasingly active role in addressing the security challenges of the 21st century - and in helping to develop the policies, standards and practices that govern the global internet.""

Source: Retrieved on March 4th from

Friday, February 4, 2011

Verisign Selected to Operate .gov Domain Name Registry

General Services Administration Selects Verisign to Provide All Aspects of Domain Name Registration Service to Federal, State and Local Governments

"Verisign is honored to be granted the responsibility of operating the .gov and domain name registries," said Mark McLaughlin, president and chief executive officer of Verisign. "Our unmatched operational excellence and proven security expertise offers the GSA a trusted and experienced partner, poised to protect its infrastructure against threats now and into the future. In addition to providing GSA the best in industry service to reliably meet its evolving demands, we are prepared to deliver value-added services that the GSA and its customers may require."
In making its selection, the GSA determined Verisign readily addressed all of the items it identified as essential for operating the .gov domain name registry. These included:
  • Designing and operating a registry infrastructure capable of scaling to meet the needs of the GSA, while maintaining best-in-class reliability and accessibility
  • Operating a network infrastructure that supports both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
  • Full support of DNSSEC
  • Unmatched security and stability 

Wednesday, January 26, 2011

Performance hit could be the price of DNS security

Recent security fixes to the Domain Name System have bought the Internet community time to implement a more permanent solution in the form of the DNS Security Extensions, but the job of putting the protocols into place has only begun, said one industry observer. And when DNS zones are signed securely, there will likely be a trade-off in performance.

A study by Infoblox, which makes network management automation tools, showed a fourfold increase in the number of digitally signed zones from 2009 to 2010, said Vice President of Architecture Cricket Liu. But that still amounted to only 0.022 percent of zones that had been signed with DNSSEC.

Implementing DNSSEC to ensure that IP address information received in response to DNS queries is legitimate is complicated by two factors. First, the system requires a chain of trust for validating digital signatures, which means they will not work unless the protocols are enabled on a substantial portion of the Internet. Fortunately, the root zone at the top of the DNS hierarchy has been signed, and a number of top-level domains immediately under it have also been signed.

“The last big domino to fall is going to be .com, which is scheduled to be signed in March,” Liu said Jan. 25 during a talk in Washington. “This is the year of no excuses because .com is signed this year.”

Source: "Performance hit could be the price of DNS security", William Jackson, Retrieved on Jan 26, 2011 from