Changing Internet Standards to Build A Secure Internet

We’ve been working with registrars and registries in the IETF on making DNSSEC easier for domain owners, and over the next two weeks we’ll be starting out by enabling DNSSEC automatically for .dk domains. DNSSEC: A Primer Before we get into the details of how we’ve improved the DNSSEC experience, Continue Reading

The Analysis of ISC BIND Response Authority Section RRSIG Missing DoS (CVE-2016-9444)

Domain Name System Security Extensions (DNSSEC) secures the Domain Name System (DNS), right? Yes, but that’s not the whole story. DNSSEC can also introduce troubles into your DNS server. Recently, a BIND bug caused by a missing RRSIG record, which is a part of DNSSEC, was fixed by a patch Continue Reading

Economical With The Truth: Making DNSSEC Answers Cheap

We launched DNSSEC late last year and are already signing 56.9 billion DNS record sets per day. At this scale, we care a great deal about compute cost. One of the ways we save CPU cycles is our unique implementation of negative answers in DNSSEC. CC BY-SA 2.0 image by Continue Reading

Reverse DNS failing for 65.0.0.0/8

There appears to be a DNSSEC issue with reverse DNS records on 65.0.0.0/8, so if your IP lands in this range (65.0.0.0-65.255.255.255), you’re probably going to find yourself unable to send much email today. The issue is DNSSEC related, so this will only impact receivers who use DNSSEC resolvers, but Continue Reading