August 2014 archive

InfoWorld: Why You Need To Deploy DNSSEC Now

InfoWorld logoToday long-time DNS expert Cricket Liu came out with a good post on InfoWorld, “Why you need to deploy DNSSec now ” where he talks through

  • why you need DNSSEC
  • how it works, including a walk-through of the actual RRSIG record in DNS
  • human factors that delayed implementation
  • motivation for deploying DNSSEC (or lack thereof)
  • factors to consider for your infrastructure such as overhead

He had one intriguing point about a potential organization that could influence DNSSEC deployment:

There is one organization, however, that is in a surprisingly strong position to influence the uptake of DNSSec: the PCI Security Standards Council, responsible for the development of the PCI Data Security Standard and other standards governing the payment card industry. Longstanding rumors say the organization is considering requiring companies whose websites accept payment cards to use DNSSec to sign their zones in order to achieve PCI DSS compliance. Given how pervasive acceptance of credit cards is on major websites, such a requirement would have vast reach.

That rumor is interesting to hear and certainly something we’ll be exploring through various connections to learn more about what might be possible.

I was surprised, though, that Cricket did not mention what I see as one of the strongest motivations to deploy DNSSEC right now – the ability to then use the DANE protocol to provide an additional layer of trust to TLS and SSL certificates. As Andrew recently wrote, DANE has a great ability to increase the overall security of TLS/SSL certificates by ensuring that users are receiving the correct TLS certificates that you want them to be using.  We’re already seeing a great uptake in DANE / DNSSEC usage within the XMPP/Jabber community as well as within various email services as a way of authenticating mail servers and helping fight spam.

I also felt the article dealt a bit longer than needed on some of the past history of DNSSEC and some of the earlier issues that slowed deployment, rather than focusing on the fact that those obstacles have been overcome and the tools and solutions are MUCH easier now.

Overall, though, this is a good article and it’s good to have it out there on a widely-read site such as InfoWorld.

If you would like to get started with DNSSEC – because Cricket is right, the time to start is NOW! – please visit our “Start Here” page to find resources targeted for the type of role you have.  Or jump directly to our DNSSEC page and browse some of the links and information you find there.

See the discussion of this InfoWorld article on:


IPFire Adds DNSSEC Validation In New Release Via Crowdfunding

ipfire logoWe were pleased to see an announcement from the IPFire open source firewall distribution indicating that DNSSEC validation had been added to their most recent “IPFire 2.15 – Core Update 80″ yesterday.  More intriguing to me, perhaps, was that the DNSSEC validation was added to the software distribution via a crowdfunding initiative for their “wishlist”. While I realize this is not unique among software products, it was great to see that some number of IPFire users felt DNSSEC was important enough to donate to prioritize this task.  [Tip for IPFire: It would be nice to know how many users donated rather than just the total amount.]

I will admit I’d not heard of IPFire prior to seeing a tweet about the DNSSEC addition this morning, but in looking at their “About IPFire” page it seems to have the kind of services that I would want in a system like this. (I run a similar type of hardened Linux distribution on my own home server/gateway.)

This news about IPFire is important because getting DNSSEC validation to happen on the edge of local networks is a critical step in the plan for where DNSSEC validation needs to happen. Ideally, of course, we’d get the validation happening in the device operating systems and even applications, but getting the validation on the edge of the local network does minimize the attack surface significantly!

Kudos to the team at IPFire for doing this work – and for the IPFire users who crowdfunded it!

P.S. Do you know of another firewall software distribution that we should add to our list on the plan for DNSSEC validationPlease do let us know as we’d definitely like to expand the list we have there.   And if you don’t know much about DNSSEC, check out our “Start Here” page to learn how to get started…

FIR #767 – 8/4/14 – For Immediate Release

Quick News: OKCupid conducted social experiments, Twitter testing easier-to-use hashtags, CPRF convenes digital working group, citizens of Armenia urged to write a Wikipedia article each; Ragan promo; News that Fits: BMW sponsors Medium category, Dan York's Tech Report, what's next in social media measurement, Media Monitoring Minute from CustomScoop, Telegraph posts less and focuses on Facebook, Michael Netzley's Asia Report, Igloo Software promo, the past with on the FIR Podcast Network, a social presence needs to be balanced with engagement; music from Sinfonia Electronique; and more.