Multi-Signer DNSSEC Models has just been published as RFC 8901.
The first draft of this document was in March 2018, so it took approximately 2.5 years from start to finish.read more
I've developed a DANE TLS authentication library in Go recently, which is available on Github:
From the README file:
"Package dane provides a set of functions to perform DANE authentication of a TLS server, with fall back to PKIX authentication if the server does not …read more
Since I've been trapped at home due to the pandemic and have more free time, I've recently enhanced my command line iterative DNS resolution testing tool, "resolve.py" to fully support DNSSEC validation. It was quite a bit of work, but I'm pleased with the results so far.
The tool …read more
The Multi-Signer DNSSEC Models draft that I've been working on for the past couple of years, has been approved by the IESG (Internet Engineering Steering Group - the overall management arm of the IETF).
The approval announcement can be seen here: https://mailarchive.ietf.org/arch/msg/ietf-announce/F3RtV_72iUvdoAOv_LgN3aeIWx0/.
The document …read more
DNS Company, NS1 today issued a press release on their collaboration with Salesforce (my employer) on the specification and implementation of Multi-Signer DNSSEC, and which has a quotation from me:
This is about a specification I've been working on for a while now, mostly in …read more
At the recent IETF meeting in Toronto, there was an interesting discussion in the trans working group on DNSSEC certificate transparency, and there is a (very) preliminary IETF draft (that needs a lot more work):
This isn't a new topic. It has been talked …read more
Some DNS Top Level Domain (TLD) operators publish statistics about their DNS zones. Some others have a zone file access program that allows others to examine their data and publish statistics. Frederic Cambus (@fcambus on Twitter) maintains a site called statdns ( http://www.statdns.com/ ) that keeps statistics for several …read more
I'm giving full day tutorials on IPv6 and DNSSEC at the upcoming USENIX LISA conference in Washington DC in November. Matt Simmons interviewed me about both and you can read the transcripts on the USENIX website:read more
On a LinkedIn forum, Dan York of the Internet Society recently asked a question about who still uses the ISC DNSSEC Lookaside Validation (DLV) registry. While commenting on the discussion, I decided to take a look at the contents of the registry, and I'm sharing some of my findings in …read more
There has been a lot of talk recently about DNS amplification attacks (with prominent news reports of high bandwidth attacks targeted at anti-spam services, cloud providers, financial institutions, etc). These are a class of denial of service attack that use DNS servers to emit large amounts of traffic onto unsuspecting …read more
DNSSEC is a system to verify the authenticity of DNS data using public key signatures. With increasing deployment of DNSSEC comes the possibility of applications using the DNS to store and retrieve TLS/SSL certificates in an authenticated manner. And possibly obviating the need for public/global certification authorities (CA …read more
I've been working on a DNS and DNSSEC monitoring project, which is available at
It looks at externally visible features of the authoritative DNS service at a selected set of institutions. The original version monitored the roughly 200 members of Internet2. It was mostly …read more
I'm teaching two half day classes on IPv6 and DNS/DNSSEC at the LOPSA PICC conference (Professional IT Community Conference), being held May 11-12, 2012 in New Brunswick, NJ. This is a regional IT and system administration conference run by the New Jersey chapter of the League of Professional System …read more