Apparently there's a "massive" attack against DNS infrastructure underway in Brazil.  Much of the initial reporting refers to the attack as cache poisoning, though Rod Rasmussen correctly points out that it's not "classic cache poisoning":  the culprits allegedly worked at a Brazilian ISP and used default passwords to change the DNS settings on customer premises equipment, and modified the configurations of the ISP's recursive name servers to direct customers to bogus sites.  ("Classic" cache poisoning attacks, of course, require no such special access to resolver or name server configuration to carry out.)

Besides raising the upsetting specter of collusion by the employees of ISPs, this threat brings us back to DNSSEC's "last mile" problem.  While this would seem like a textbook example of the kind of threat DNSSEC should protect against, in fact DNSSEC wouldn't have been much help to most of the ISP's subscribers.  Without a secure channel between a stub resolver, like the one on the laptop I'm typing on, and the local recursive name server, there's no foolproof way of determining that your name server has been replaced.

Read more...

Yesterday, Infoblox hosted the second annual "Inside Baseball" event, an informal meeting of representatives from companies that work with DNS to discuss strategic and operational issues.  Dyn, Inc., who dreamed up the event and hosted last year's meeting at their headquarters in Manchester, New Hampshire, coordinated registration and proposed a loose agenda.

Attendance was terrific, with representatives from Dyn, ISC, Verisign, Neustar, F5, Secure64, Google, Microsoft, Comcast, Akamai, OpenDNS, Nettica, NoIP, TZO, Cotendo, Cloudflare, CloudFloor, and Cloudfish attending.  (Just kidding.  There's no Cloudfish.  Yet.)

Read more...

InfoWorld just gave their 2011 Technology Leadership Award to my old friend and frequent collaborator, Matt. Matt's worked tirelessly on the deployment of DNSSEC in some of the biggest and most important zones on the Internet, including the root zone, .com and .net - all of which, I'll note, went off without a hitch. That doesn't happen by chance. To think that when I met him, he was fresh out of Northwestern, interviewing for a job at HP.

Congratulations, Matt. It's an honor you richly deserve.

Oh, and dinner's on me!

Read more...

Read more...

At one time, when my job actually entailed managing name servers and namespace, I was pretty good at troubleshooting DNS problems.  Often just a few queries with dig would tell me what was wrong, especially if the issue was a common one.  Lame delegation?  Easy.  Forgotten trailing dot?  Piece of cake.

Last week, though, one of our excellent support engineers here at Infoblox asked for help with a DNSSEC validation failure.  A customer was trying to look up the A records for atmos.pds.nasa.gov and was getting a SERVFAIL error in reply.  I could reproduce the error, which is sometimes half the battle, but couldn’t immediately determine its cause.

Read more...