Everyone in the DNS community agrees that DNS\u2019s security model is woefully outdated. Conceived at a time when there were fewer computers on the Internet than are housed by even today\u2019s smallest data centers, DNS unfortunately has no strong protection against malicious parties hoping to exploit web users. What little protection it does offer is mostly derived from novel uses of non-security features (e.g., UDP source port and transaction ID randomization).<\/p>\n
For more than 15 years, the IETF has been working on DNSSEC, a set of extensions to apply\u00a0digital signatures<\/a>\u00a0to DNS. Millions of dollars in government grants and several reboots from scratch later, DNSSEC is just starting to see real world testing. And that testing is minimal \u2014 only about 400 of the more than 85,000,000 .com domains support DNSSEC, fewer than 20% of US government agencies met their mandated December 31, 2009 deadline for DNSSEC deployment, and only two of the thirteen root zone name servers is testing with even dummy DNSSEC data.<\/p>\n Aside from its lack of adoption, DNSSEC isn\u2019t even a very satisfactory solution. It adds tremendous complexity to an already fragile protocol, significantly increases DNS traffic in size, encourages questionable security practices, and hamstrings many modern uses of DNS.<\/p>\n <\/p>\n So while debate about DNSSEC wears on, we\u2019re excited to announce that OpenDNS has fully adopted another proposed DNS security solution:\u00a0DNSCurve<\/span>.<\/p>\n DNSCurve<\/a>\u00a0is a recent DNS extension proposal that is fully backwards compatible with the existing DNS protocol, uses\u00a0much stronger cryptography<\/a>\u00a0than DNSSEC, and most importantly, is much simpler and much easier to implement and manage. The most significant technical distinction is that DNSSEC uses large and slow per-recordset signatures while DNSCurve uses small and fast per-packet encryption and authentication.<\/p>\n OpenDNS\u2019s DNS resolvers already fully support DNSCurve\u00a0today<\/span>\u00a0and use it whenever possible. Of course, authoritative servers need to be upgraded to support DNSCurve as well, but it\u2019s our hope that this announcement will help to get the ball rolling on DNSCurve adoption. If you\u2019re an authoritative DNS provider and are interested in deploying DNSCurve, we\u2019re interested in hearing from you.<\/p>\n – See more at: http:\/\/blog.opendns.com\/2010\/02\/23\/opendns-dnscurve\/#sthash.6uJ6dhTz.dpuf<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"Details<\/h3>\n
\n