The State of DNSSEC Validation

Many aspects of technology adoption in the Internet over time show simple “up and to the right” curves. There are many examples, so to pick a classic curve Google’s measurement of IPv6 use is a good example. What lies behind these curves is the theory that once a decision is…


No!

What part of “No!” doesn’t the DNS understand? One effective form of attack on the authoritative DNS server infrastructure, including the root servers, is the so-called random name attack. If you want to target the online availability of a particular domain name, then a random name attack will attempt to…


Analyzing the KSK Roll

It’s been more than two weeks since the roll of the Key Signing Key (KSK) of the root zone on October 11 2018, and it’s time to look at the data to see what we can learn from the first roll of the root zone’s KSK. There are a number…


Diving into the DNS

DNS OARC organizes two meetings a year. They are two-day meetings with a concentrated dose of DNS esoterica. Here’s what I took away from the recent 29th meeting of OARC, held in Amsterdam in mid-October 2018. Cloudflare’s 1.1.1.1 service Cloudflare have been running an open public DNS resolver service on…


DOH!

If you had the opportunity to re-imagine the DNS, what might it look like? Normally this would be an idle topic of speculation over a beer or two, but maybe there’s a little more to the question these days. We are walking into an entirely new world of the DNS…


Measuring the KSK Roll

When viewed as a network infrastructure, looks can be very deceiving when looking at the DNS. It appears to be a simple collection of resolvers and servers. Clients pass their DNS name resolution queries to resolvers, who then identify and ask an appropriate authoritative name server to resolve the DNS…


DNSSEC and DNS over TLS

The APNIC Blog has recently published a very interesting article by Willem Toorop of NLnet Labs on the relationship between Security Extensions for the DNS (DNSSEC) and DNS over Transport Layer Security. Willem is probably being deliberately provocative in claiming that “DoT could realistically become a viable replacement for DNSSEC.”…


Measuring ECDSA in DNSSEC – A Final Report

Back in 2014 I wrote on the use of the elliptical curve cryptographic algorithm in generating digital signatures for securing the DNS (DNSSEC). The conclusion at the time was hardly encouraging: “Will ECDSA ever be a useful tool for DNS and DNSSEC? As good as ECDSA is in presenting strong…


The Uncertainty of Measuring the DNS

The period around the end of the nineteenth century and the start of the twentieth century saw a number of phenomenal advances in the physical sciences. There was J.J. Thompson’s discovery of the electron in 1897, Max Planck’s quantum hypothesis in 1900, Einstein’s ground-breaking papers on Brownian motion, the photoelectric…


Measuring ATR

The Problem It’s pretty clear that the Internet has a problem. If you want to include Facebook’s misuse of personal information in ways that closely resemble unconstrained abandon, then the Internet probably has hundreds of millions of problems! More prosaically, lets confine our view of problems to the Internet Protocol…