Category: DNS

Video: What are “Negative Trust Anchors” for DNSSEC?

What are “negative trust anchors” for DNSSEC? What function do they perform? Why do we need them? In this video, Dan York interviews Jason Livingood about his Internet-Draft on this topic and answers these and other questions:

The Internet-Draft can be found at:

http://tools.ietf.org/html/draft-livingood-negative-trust-anchors

Jason and his co-author are seeking comment and would appreciate feedback from people about this draft – does it make sense? Would you use it? Do you see any ways to improve their ideas? Their email addresses can be found at the end of the document and they are definitely open to feedback.

Jason Livingood is Vice President of Internet & Communications Engineering at Comcast and is one of the co-authors of this draft.

More information about DNSSEC can be found at the Deploy360 website at:
http://www.internetsociety.org/deploy…

This interview was recorded at the 86th meeting of the Internet Engineering Task Force (IETF) in March 2013 in Orlando, Florida, USA.

Google Public DNS – DNSSEC Validation

Google logoGoogle provides DNSSEC validation through the use of their “Google Public DNS” servers.  If your local DNS resolvers do not perform DNSSEC validation, you can change your operating system to point to the following DNS servers operated by Google for either (or both) IPv4 and IPv6:

8.8.8.8
8.8.4.4

2001:4860:4860::8888
2001:4860:4860::8844

Once configured, all future DNS queries will be resolved using these DNS servers and DNSSEC validation (if requested) will be performed by Google’s servers.  You will then benefit from the added protection of DNSSEC validation.

Typically this configuration is changed wherever you modify your network settings.  In Windows, this is usually in your “Control Panel” while in Mac OS X this will be in the Network part of your “System Preferences”.  For Linux and other operating systems the exact procedure will vary.

Note that there is one important caveat here - you have to request DNSSEC validation when you send the DNS query to Google’s Public DNS servers, i.e. they will only validate the DNS query if you request it.  To do that you need an application that supports DNSSEC.  For web browsers, there are add-ons and extensions for both Google Chrome and Mozilla Firefox:

If you are an application developer, there are DNS developer libraries that support DNSSEC available in a wide range of programming languages so that you can add DNSSEC support to your application.

You can test DNSSEC validation by attempting to visit one of the deliberately misconfigured sites listed on our DNSSEC Tools page.

Google provides the following information about using their Public DNS service:

The addition of DNSSEC was announced in March 2013 and noted that Google Public DNS is currently “serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day.”

Note: To get the most value out of DNSSEC, you need to use a DNSSEC-validating resolver, and also sign your domains. If you have domains registered, learn about how your can sign your domains with DNSSEC using domain name registrars.

Huge News For Internet Security – Google Public DNS Is Now Performing DNSSEC Validation!

Google logoIn a huge step forward for Internet security today, Google announced that Google’s “Public DNS” service is now performing DNSSEC validation. What this means is that anyone using Google’s DNS servers (and anyone can do so – see below) can now get the increased security that comes with DNSSEC.  (Learn more about the value of DNSSEC on our DNSSEC Basics page.)

It also means that if you want the added security of DNSSEC, but your Internet Service Provider and local operating system don’t validate with DNSSEC,  you can simply change your operating system to point to the following DNS servers operated by Google for either (or both) IPv4 and IPv6:

8.8.8.8
8.8.4.4

2001:4860:4860::8888
2001:4860:4860::8844

Once configured, all future DNS queries will be resolved using these DNS servers and DNSSEC validation will be performed by Google’s servers.  You will then benefit from the added protection of DNSSEC validation.  (Our resource page about Google Public DNS offers a few more pointers about configuration.)

Note that there is one important caveat here - you have to request DNSSEC validation when you send the DNS query to Google’s Public DNS servers, i.e. they will only validate the DNS query if you request it.  To do that you need an application that supports DNSSEC.  For web browsers, there are add-ons and extensions for both Google Chrome and Mozilla Firefox:

If you are an application developer, there are DNS developer libraries that support DNSSEC available in a wide range of programming languages so that you can add DNSSEC support to your application.

In the announcement, Google’s Yunhong Gu noted that Google Public DNS is currently “serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day.”  As the article further notes:

“Effective deployment of DNSSEC requires action from both DNS resolvers and authoritative name servers. Resolvers, especially those of ISPs and other public resolvers, need to start validating DNS responses. Meanwhile, domain owners have to sign their domains. Today, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. We encourage all involved parties to push DNSSEC deployment and further protect Internet users from DNS-based network intrusions.”

To that end, if you have domains registered, we strongly encourage you to learn about how your can sign your domains with DNSSEC using domain name registrars.  You can learn more about which top-level domains support DNSSEC on our DNSSEC Statistics page.

Google provides the following information about using their Public DNS service:

This move by Google to provide this DNSSEC validation is a great addition to the support for DNSSEC validation offered by large US ISPs such as Comcast (making DNSSEC validation available to their 18 million customers) as well as ISPs in a wide range of countries including Sweden, the Czech Republic and Brazil.

We look forward to seeing more public DNS providers and more ISPs turn on DNSSEC validation in their networks.  If you want to know more about what is involved with enabling DNSSEC validation on your network, including home and enterprise networks, this SURFnet white paper provides easy instructions for common DNS servers.

And in the meantime, if you don’t want to wait for your ISP and want to start getting the value in DNSSEC validation today, you now have the option of using Google’s public DNS servers!

 

DNSsexy.net – News from the DNS blogosphere

Looking for news about DNS and DNSSEC that is happening around the Internet? If so, check out:

dnssexy.net

DNSsexy is a news aggregation site built and maintained by Jan-Piet Mens that pulls together DNS-related items from a variety of blogs and news sources. Do note that this is DNS in general… so it covers a wide range of DNS topics, not just the DNSSEC we cover here.

You can view the latest news by going to the site – or by adding the aggregated RSS feed into Google Reader or whatever feed reader you use.

I’ve found it quite a useful way to stay up on the many DNS posts happening around the Internet. Thanks to Jan-Piet Mens for setting up and maintaining the site!

Speaking at SATIN 2012 on Friday About DNSSEC Deployment

This Thursday and Friday I (Dan York) will be at the “Securing and Trusting Internet Names (SATIN) 2012” event taking place at the National Physical Laboratory (NPL) in London, UK. As the event site indicates, this event is a bit of a merger of academia and industry:

SATIN aims to provide a forum for academic work on the security of the DNS alongside industry presentations on practical experiences in providing name services.

This workshop will expose the academics to the real problems that industry is encountering, and show industry what academia has to offer them.

The SATIN 2012 agenda looks quite good and I’m looking forward to learning a good bit about new research into DNSSEC and other technologies to protect DNS. It’s great to see someone from Comcast there talking about their work and I admit to having a particular interest in the session on DANE, as I see DANE as a potential way to show how DNSSEC can add more value to existing networks. (More on DANE in later posts.)

On Friday I’ll be speaking about some of what we’ve seen as we prepared the DNSSEC part of this Deploy360 site and the opportunities we see for simplifying the user experience and accelerating DNSSEC deployment. As part of preparing for the event, I developed with my colleagues here at the Internet Society a 7-page paper on “Challenges and Opportunities in Deploying DNSSEC” that I’m definitely looking forward to sharing with you all.

We’ll be posting both my paper and slides to our site once the event is over. The NPL is also going to be recording all of the sessions and making them available via YouTube. As soon as the videos are live, we’ll start posting about them here, too.

If any of you reading this will be at SATIN 2012 this week, please do say hello (and feel free to drop me a note in advance).