Stories
Slash Boxes
Comments

SoylentNews is people

ICANN Urges Adopting DNSSEC Now

posted by Fnord666 on Monday April 22 2019, @06:59AM   Printer-friendly
from the yes-please dept.

martyb writes:

ICANN Urges Adopting DNSSEC Now:

Continuing attacks on directory name services have prompted ICANN to prompt enterprise DNS uses to push their suppliers for DNSSEC services to block some of these attacks that can compromise corporate data.

Powerful malicious actors continue to be a substantial risk to key parts of the Internet and its Domain Name System security infrastructure, so much so that The Internet Corporation for Assigned Names and Numbers is calling for an intensified community effort to install stronger DNS security technology.

Specifically ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. DNS, often called the internet’s phonebook, is part of the global internet infrastructure that translates between common language domain names and IP addresses that computers need to access websites or send emails. DNSSEC adds a layer of security on top of DNS.

[...]Full deployment of DNSSEC ensures end users are connecting to the actual web site or other service corresponding to a particular domain name, ICANN says “Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup – complementing other technologies such as SSL (https:) that protect the "conversation", and provide a platform for yet-to-be-developed security improvements,” ICANN says.

In a release calling for the increased use of DNSSEC technologies, ICANN noted that recent public reports show a pattern of multifaceted attacks utilizing different methodologies.

“Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use,” ICANN stated.

[...]ICANN offered a checklist of recommended security precautions that members of the domain-name industry, registries, registrars, resellers and related others shoudl[sic] take to protect their systems, their customers’ systems and information reachable via the DNS.

Make sure you know where you are going.

Original Submission

 
This discussion has been archived. No new comments can be posted.
ICANN Urges Adopting DNSSEC Now | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday April 22 2019, @09:11AM (4 children)

    by Anonymous Coward on Monday April 22 2019, @09:11AM (#833320)

    What exactly problem does it solve?
    It gives DNS control into other malicious actors. We had this over and over since 1994, when people told that Internet without academic curation will turn into a TV. It turned.
    Mozilla did similar thing once, with Cloudflare - a company known of fighting anonymity in the Internet and massively collecting metadata.
    The solution is:
    1. Encrypted, distributed DNS, maybe blockchain-based. There was something similar with own TLDs, unfortunately lost popularity as had less media paid advertising than "social media".
    2. If ISP modifies the traffic - this is violation of agreement, so punish with fine exceeding income. As "potential losses (tm)" exceed real losses, and we all believe in this "potential losses (tm)" BS when it comes to "intellecshual property (tm)", so why use it only against "goyim"?

  • (Score: 2) by Pino P on Monday April 22 2019, @03:15PM (1 child)

    by Pino P (4721) on Monday April 22 2019, @03:15PM (#833408) Journal

    Encrypted, distributed DNS, maybe blockchain-based. There was something similar with own TLDs, unfortunately lost popularity as had less media paid advertising than "social media".

    Are you thinking of Namecoin [wikipedia.org], which uses the .bit pseudo-TLD? Or OpenNIC?

    If ISP modifies the traffic - this is violation of agreement

    Unless the only ISP in town or all ISPs in town have a provision in their agreement allowing the ISP to modify traffic, ostensibly to protect the customer premises equipment from cyber-intruders or to enforce court orders.

    • (Score: 2) by c0lo on Monday April 22 2019, @10:21PM

      by c0lo (156) Subscriber Badge on Monday April 22 2019, @10:21PM (#833559) Journal

      Namecoin is shit. From Wikipedia:

      Like bitcoin, it is limited to 21 million coins

      Add to this the insane amount of effort to do the proof of work in advanced stages and you'll get something that will gradually fall into the hands of organizations that can support the cost.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

  • (Score: 0) by Anonymous Coward on Monday April 22 2019, @09:16PM

    by Anonymous Coward on Monday April 22 2019, @09:16PM (#833526)

    Gee, they seemed to have a decent point but lost it at the end with their anti-semitism. Oh well, maybe next year we can have nice things.

  • (Score: 1) by mmlj4 on Friday May 03 2019, @02:18PM

    by mmlj4 (5451) on Friday May 03 2019, @02:18PM (#838405) Homepage

    There is no need for encrypted DNS, and in fact if DNS data were encrypted none of it would work at all.

    What we do have is signed responses, and any tampering is immediately evident. But not all operating systems and DNS clients (nslookup, for example) support DNSsec.

    --
    Need a Linux consultant [joeykelly.net] in New Orleans?