Deploy360 Domain Name System Security Extensions (DNSSEC)

Congrats to PowerDNS Team On Their Merger With Open-Xchange

powerdnsCongratulations to Bert Hubert and the rest of the PowerDNS team on their merger with Open-Xchange that was announced yesterday.  We’ve written about PowerDNS a number of times, include it on the list of DNS servers supporting DNSSEC and also include a pointer to the “unofficial” DNSSEC statistics Bert has been maintaining for a number of ccTLDs.

They’ve been doing great work to make DNSSEC easier to deploy and it’s great to see them now have better financial stability.

The Register had a good piece by David Meyer that put this merger into a larger context of Open-Xchange’s plans and included the mention that the team behind the Dovecot open source mail server has also been brought into Open-Xchange.

Congrats to Bert and the team and we hope this new arrangement works well for them and enables to continue their work helping make the Internet more secure!

Domain Name System Security Extensions (DNSSEC)

DNS Security Advisories Out Today For BIND, PowerDNS and Unbound – Time To Upgrade!

DNSWhile this has nothing to do specifically with the topic of DNSSEC that we cover here on Deploy360, there is important news in the broader world of “DNS security”.  The vendors of three of the major DNS recursive resolvers today released security advisories about a particularly nasty bug where the resolver can be tricked into trying to follow essentially an infinite loop and wind up exhausting all resources and potentially shutting down.  The advisories from BIND, PowerDNS and Unbound are found at these links:

The advisories from both PowerDNS and Unbound indicate that this bug would be difficult for an attacker to exploit unless they were within the user base of the recursive resolver.  The BIND advisory is more open-ended and indicates the bug could be executed remotely.

In all cases the easiest solution is to upgrade to the newest versions:

While there are apparently no known exploits of the bug in the wild yet, that will now only be a matter of time.  It would be best to upgrade your recursive resolvers as soon as possible.

P.S. While you are in there updating your DNS resolver, if you are using BIND or Unbound, why not enable DNSSEC validation?  It’s a simple change in the configuration file, as shown in this SURFnet white paper.