Archive for 'Infrastructure' Category
DNS security talk
I spoke on DNS security at the March 16 meeting of the Ottawa Area Security Klatch (OASK). This was updated version of my famous “Seven Deadliest Sins” talk, intended for a technical audience. The slides with speakers notes are here: DNS Security: The Seven Deadliest Sins OASK is a new security group in Ottawa. It’s [...]
Read the rest of this entry...DNS root zone getting DNSSEC
The root zone for the Internet Domain Name System will finally implement DNSSEC. This follows the commitment last year from the folks running the .org top-level domain to implement DNSSEC for all .org domains. This is an important move to mitigate the worst vulnerabilities in DNS. As I presented recently, design flaws in the DNS [...]
Read the rest of this entry...DNS security: The seven deadliest sins
Soon it will be the one year anniversary of the release of Dan Kaminsky’s fun little DNS security flaw. In honor (?) of that that, I gave a quick presentation last week to the Ottawa CitySec group on Domain Name System security. Since the Kaminsky issue has been pretty well covered, I focused on all [...]
Read the rest of this entry...The coming IPv6 security disaster
Last week ARIN (the group who hands out IP addresses for the U.S., Canada and most Carribean nations) sent a letter [pdf] to organizations stating that IPv4 IP addresses will be depleted in two years. ARIN is encouraging everyone to prepare their infrastructure for it now. Will IPv6 adoption be a disaster for information security? [...]
Read the rest of this entry...Securing DNS with a validating resolver
Few ISPs and web hosting providers pay attention to their DNS servers. Most use the same servers both to serve the domains they host and to perform name resolution (translating DNS names to IP addresses and vice versa). Many also allow recursive queries from anyone on the Internet, making DNS spoofing much easier. We’ve had [...]
Read the rest of this entry...