Ariel Rabkin (of my alma mater, Berkeley) wrote an interesting, thoughtful article on Internet governance recently.  It argues that U.S. government control of the root zone, through the Department of Commerce's oversight of IANA, perhaps isn't such a bad thing.  The U.S., after all, has done a good job so far, eliciting few complaints.  The First Amendment helps us resist calls to use such control as a bludgeon in the service of censorship.  An international organization might yield to covert pressure to enact restrictions on content.

While Mr. Rabkin's arguments appeal to me, I wonder how much my view is clouded by being an American.  Furthermore, I tend to think that some of his points would have rung hollow just months ago, before the current administration took office.

On the other hand, I've thought about alternatives to the current governance model before and never come up with one I felt sure would work better.  Is the current arrangement "the worst form except for all those others that have been tried"?

This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders).  Only your forwarders need special configuration, and that configuration is simple.

Read more...

Just a short reminder that Infoblox is presenting a webinar on June 10th on DNS security and DNSSEC featuring Dan Kaminsky (of cache-poisoning-vulnerability fame) and Scott Rose of NIST, co-author of the most recent set of DNSSEC RFCs.  We'll discuss several threats to DNS infrastructure (including cache poisoning, natch), describe DNSSEC at a high level, and discuss the state of DNSSEC adoption.

We're doing the webinar twice, once at 9 am EDT and once at 9 am PDT.  You can find more information and register here.  I hope you'll join us!

I recently did five talks in Europe on threats to DNS, leading up to the need to deploy DNSSEC.  Several audiences asked me for my opinion on the right time to implement DNSSEC.  Clearly, the lack of signed parent zones is an impediment for most of us:  Unless your zones are children of .se, .cz, .br, .bg, or one of the few other signed TLDs, you'd need to distribute your zone's public key to everyone you'd like to validate your zone data.  That doesn't scale, right?

Read more...

DNS Tools

If you are looking for DNS tools check out DNS test (or DNS freeware) at the Infoblox web site.  You’ll find links t plenty of tools, freeware and additional resources to help you manage DNS.

Interop

If you’re planning to attend Interop feel free to visit the Infoblox booth 1867, in the TNC demo (booth 869) or at the Cisco (1719) or Riverbed (1359) booths.

The Infoblox booth will feature demos of the new Infoblox IP address management (IPAM) solution as well as the new PortIQ™ appliance network monitoring solution.  The TNC demo will show how IF-MAP enables security for 5 distinct enterprise environments.  If you cannot see the demos live check out the new 2009 TNC Interop brochure.  Here is a sneak peek.

Read more...