DNS-based Authentication of Named Entities (DANE) is a relevant security solution for deployment in today’s Internet, and it is ready for use. Putting DANE into DNS zones lets authorities extend authentication from DNSSEC data to DNS-reliant services (such as S/MIME, and TLS). Verisign Labs researchers are working with the Internet community to develop prototypes and reference implementations, advance standards, and promote awareness of DANE and its full potential to advance secure key learning.
Verisign Labs, along with NLNet Labs, leads community development and promotion of the open source getdns library, which brings DNSSEC and modern DNS features to applications developers and end-systems. Watch this presentation to learn the latest on getdns development.
Andy is a Data Scientist within Verisign's Naming organization. His research is currently focused on security and stability threats to the DNS root zone and the impact of emerging global markets on the overall use of domain names.
Verisign Labs is committed to sharing our findings with the broader research community. Our repository makes available our researchers' publications, presentations, and industry standards contributions.
One of the longstanding goals of network security design is to be able to prove that a system – any system – is secure. Designers would like to be able to show that a system, properly implemented and operated, meets its objectives for confidentiality, integrity, availability and other attributes against the variety of threats the system may encounter. A half century into the computing revolution, this goal remains elusive. One reason for the shortcoming is theoretical: Computer scientists have made limited progress in proving lower bounds for the difficulty of solving the specific mathematical problems underlying most of today’s cryptography. Although those problems are widely believed to be hard, there’s no assurance that they must be so – and indeed it turns out that some of them may be quite easy to solve given the availability of a full-scale quantum computer. Another reason is a quite practical one: Even given building blocks that offer a high level of security, designers, as well as implementers, may well put them together in unexpected ways that ultimately undermine the very goals they were supposed to achieve.
As WHOIS Transitions to RDAP, How Do We Avoid the Same Mistakes?
In 1905, philosopher George Santayana famously noted, “Those who cannot remember the past are condemned to repeat it.” When past attempts to resolve a challenge have failed, it makes sense to consider different approaches even if they seem controversial or otherwise at odds with maintaining the status quo. Such is the case with the opportunity to make real progress in addressing the many functional issues associated with WHOIS. We need to think differently.