Remember back in September 2009, when I posted this blog entry on the importance of automation?  No?  (I don’t really blame you.  I only remembered that I’d posted something about automation; I had to re-read it to recall exactly what I’d written.)  My point was that automating as much as possible of the process of administering DNS was about to get even more critical with broader adoption of DNSSEC.

With DNSSEC-signed zones, there are all sorts of tasks to remember:  Re-sign your zone after you make any change to zone data.  Re-sign your zone to refresh signatures before they expire.  Roll your Zone-Signing Key over monthly.  Roll your Key-Signing Key over annually.  Oh, but be sure to wait the requisite amount of time during the rollover for old keys to time out of remote caches or for new keys to propagate.  Then multiply all of these tasks by the number of signed zones you have, and add the complexity of maintaining different re-signing and rollover timers per zone.  That way madness lies.

Read more...

The results of the 2010 DNS Survey come out this week.  I know you've all been waiting with bated breath, so here’s a summary of some of what I thought were the most interesting results:

We again examined a random sample of subzones of the Big Three gTLDs, .COM, .NET and .ORG.  As in previous surveys, we looked for DNSSEC resource records that would tell us whether these subzones were signed.

Read more...

Our friends at The Measurement Factory just completed the 2010 DNS Survey, and we’ll release the complete results soon.  For those of you who just can’t wait, though, here’s a preview of some of the results.

One of our datasets was a large (i.e., millions of zones), random sample of subzones of .COM, .NET and .ORG.  Looking at the IP addresses of the authoritative name servers for these zones, we found that nearly 20% seem to have all of their authoritative name servers on the same network. (They’re on the same /24, at least—in some cases, of course, that might be multiple networks, but it’s relatively unlikely.)

This is an accident waiting to happen.  Some of you might remember the embarrassing DNS outage Microsoft suffered several years ago when a technician misconfigured a border router in Redmond:  Because all of their authoritative name servers were on a single network behind that router, users couldn’t resolve most Microsoft domain names for an extended period.  Don’t let that happen to you.

Read more...

It’s nearly fall and here in California, we can feel the change of season.  I’m wearing a sweater for the first time in months, and day by day it’s darker when we get up in the morning.

But I like fall.  My daughter’s birthday is in the fall—in fact, it’s on the equinox—and so is mine.  Halloween is coming up, and in our neighborhood, Halloween is a huge, big deal.  Kids from all over come to our neighborhood to trick or treat, and some families set up elaborate Halloween displays. One year, neighbors had a mock car wreck on their lawn, complete with casualties, and another year—the same neighbors, I think—they chased trick or treaters away with a chainsaw.  Yeah, we avoid that house now.

And each fall, Infoblox re-runs its DNS Survey.  Our friends at The Measurement Factory actually perform the testing, and we both analyze the results. While it may sound like the height of geekdom, the Survey’s results are like a surprise gift each year.  Honestly, I never know quite what to expect.  Last year, we saw the percentage of open recursive name servers jump through the roof—reversing a trend I thought we’d established over the previous several years.  Over the past two years, we’ve seen the percentage of Microsoft DNS Servers identified drop through the floor.

Read more...

Whenever seismic activity picks up somewhere in the world, our local press here in California like to point out that we’re overdue for The Big One.  They cite how frequently, on average, large earthquakes occur on the various faults that we cross on our daily commutes and note that it’s been many times that long since those faults have experienced a major tremor.  Then they cut to footage of the aftermath of the Northridge or Loma Prieta earthquake or the movie “2012” and remind you to stock up on canned food, drinking water and ammunition.  Sensationalist, sure, but relatively tame when compared with most of the fear mongering they use to try to boost ratings.

I’m waiting for The Big One to strike the Internet.

Over the past several years, we’ve seen some large Distributed Denial of Service attacks against Internet infrastructure, including DNS.  In fact, as recently as August 6^th, the DNS hosting provider DNS Made Easy was hit with a DDoS attack that they estimated at “over 50 Gbps.”

Read more...