Last week David Conrad of ICANN asked if I could make DSC show the EDNS buffer sizes advertized by clients. This is now available in DSC versions dated after 2008-08-22. Furthermore, the new version is running on the F-root collector nodes.
The breakdown of buffer sizes looked different than I remembered for recent DITL data, so I generated some graphs for the 2006 through 2008 DITL data (F-root nodes) using the same size ranges.
The trend is good news. Back in Jan 2007, 50% of queries did not indicate any EDNS support. 20% had bufsiz=2048, and 30% had bufsiz=4096. Now we have about 65% of queries with bufsiz=4096, while 35% still don't support EDNS.
Submitted by wessels on Mon, 2008-08-25 20:17
CERT and numerous vendors are making a major announcement today regarding a DNS protocol vulnerability that may enable cache poisoning of recursive resolvers. From the CERT page:
We can expect patches from most vendors that will implement randomization of query source ports. According to ISC, source port randomization only increases the difficulty of the attack, but does not entirely prevent it. The best prevention, they say, is to implement DNSSEC.
Here are some vendor announcements:
The vulnerability was discovered by Dan Kaminsky of IOActive.
Submitted by wessels on Tue, 2008-07-08 18:47
Within a day of ICANN's gTLD announcement, ZDNet reports that a Turkish hacking group has hijacked domain names belonging to IANA and ICANN. Interestingly, only thier "alternative" names were hijacked. For example, ICANN.COM and ICANN.NET were, but ICANN.ORG was not. Similarly, IANA.COM was, but IANA.ORG was not. The same group is apparently responsible for other recent high profile domain hijinks as well.
One thing all of the hijacked names have in common is their registrar, Register.com, which was apparently able to fix the problem within about 20 minutes. Let's hope the parties involved are up-front enough to explain what happened.
Submitted by wessels on Sun, 2008-06-29 20:38
Yesterday, during their meeting in Paris, ICANN announced a change in their policy for adding new generic TLDs to the DNS. Although this change has been planned for a while, I think it caught quite a few of us off guard.
Many details are not available at this time, but it sounds like a new gTLD will cost on the order of $100,000 and we won't be seeing many new ones for another year or so.
Submitted by wessels on Fri, 2008-06-27 17:09
ARI Registry Services
Public Interest Registry
University of Maryland