Verisign Q3 2017 Domain Name Industry Brief: 330.7 Million Domain Names on the Internet in the Third Quarter of 2017
Today, we released the latest issue of the Domain Name Industry Brief, which showed that the third quarter of 2017 closed with approximately 330.7 million domain name registrations across all top-level domains (TLDs), a decrease of approximately 1.2 million domain name registrations as of Sept. 30, 2017.1,2 This is a 0.4. percent decrease over the second quarter of 2017 and a 1.1 percent increase, year over year. 1,2
4 Myths About Using a Branded Email for Business
If you send emails to your customers, it’s not only about what you say in your emails, but what your email address says about you. If you use a generic email like Gmail or Yahoo for your business, it might be time to consider something more professional and specific to your business. For example, what dental practice would you choose to contact, one that uses an email address like info@pearlybrightsmiles.com or toothymike88@gmail.com? It’s probably safe to assume you’d pick the first one. Yet, in 2015, almost half of U.S. small businesses still did not have a company-branded email.1
Here are a few myths about a customized email address that may be holding you back from growing your online brand:
DNS-Based Threats: DNS Reflection and Amplification Attacks
The Domain Name System (DNS), if not properly secured, may be susceptible to abuse by malicious actors. Cybercriminals recognize the value of DNS availability and look for ways to compromise DNS uptime and the DNS servers that support it. As such, DNS becomes an important point of security enforcement and a potential point in the Cyber Kill Chain®1 for many cyber-attacks.
This blog discusses one such threat, DNS reflection and amplification attacks.
Top 10 Trending Keywords in .Com and .Net Registrations in November
With more than 300 million domain names registered globally, there are numerous examples of trending keywords reflected by domain name registrations. We have shown in the past that there is a correlation between domain name registrations and newsworthy and popular events, as well as anticipated trends.
Keeping in the spirit of the zeitgeist that .com and .net domain name registration trends can represent, Verisign publishes this monthly blog post series identifying the top 10 trending .com and .net keywords registered in English during the preceding month.
November 2017 TRENDING KEYWORDS
Here are the top 10 trending keywords registered in November 2017. Any surprises?
Q3 2017 DDoS Trends Report: 29 Percent of Attacks Employed Five or More Attack Types
Verisign just released its Q3 2017 DDoS Trends Report, which represents a unique view into the attack trends unfolding online, through observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of Verisign DDoS Protection Services and security research conducted by Verisign Security Services.
A Framework for Resilient DNS Security: DNS Availability Drives Business
To establish connectivity with other users and devices, almost anything that interfaces with the internet depends on the accuracy, integrity and availability of the Domain Name System (DNS). Most online transactions and data movement are critically dependent on DNS services.
As such, DNS is an important point of security enforcement and a potential point in the Cyber Kill Chain for many cyber-attacks. Organizations are beginning to recognize this and are using DNS security mechanisms as a first line of defense for preventing or mitigating online threats.
Top 10 Trending Keywords in .Com and .Net Registrations in October
With more than 300 million domain names registered globally, there are numerous examples of trending keywords reflected by domain name registrations. We have shown in the past that there is a correlation between domain name registrations and newsworthy and popular events, as well as anticipated trends.
Keeping in the spirit of the zeitgeist that .com and .net domain name registration trends can represent, Verisign publishes this monthly blog post series identifying the top 10 trending .com and .net keywords registered in English during the preceding month.
October 2017 TRENDING KEYWORDS
Here are the top 10 trending keywords registered in October 2017. Any surprises?
Verisign Launches NameStudio to Help Businesses and Individuals Find a Great Domain Name for Their Online Presence
Today, Verisign introduced NameStudioTM, a new easy-to-use domain name brainstorming service designed to enable startups, small businesses and individuals to find great domain names for their business or ideas. The company will showcase the power of this new service at Techweek Los Angeles on Nov. 14-16, 2017.
Top 10 Trending Keywords in .Com and .Net Registrations in September
With more than 300 million domain names registered globally, there are numerous examples of trending keywords reflected by domain name registrations. We have shown in the past that there is a correlation between domain name registrations and newsworthy and popular events, as well as anticipated trends.
Keeping in the spirit of the zeitgeist that .com and .net domain name registration trends can represent, Verisign publishes this monthly blog post series identifying the top 10 trending .com and .net keywords registered in English during the preceding month.
September 2017 TRENDING KEYWORDS
Here are the top 10 trending keywords registered in September 2017. Any surprises?
Root Zone KSK Rollover is Postponed
On Sept. 27, Internet Corporation of Assigned Names and Numbers (ICANN) announced that the first root zone Key Signing Key (KSK) rollover – originally scheduled to take place on Oct. 11 – will be postponed. Although this was certainly a difficult decision, we fully agree that erring on the side of caution is the best approach to take. In this blog post, I want to explain some of the involvement Verisign has had in KSK rollover preparations, as well as some of the recently available research opportunities which generated data that we shared with ICANN related to this decision.
Every Domain Name System Security Extensions (DNSSEC) validator on the internet requires a Trust Anchor. This is a key, or a hash of a key, that corresponds to the root zone KSK(s). Whenever a KSK rollover occurs, validators need to update their trust anchors to include the new key. The design of DNSSEC includes a mechanism, commonly referred to as RFC 5011, whereby validators can automatically update their trust anchors. Because there has never been an operational root KSK rollover, RFC 5011 has never been tested in production. In assessing rollover preparedness, our folks, as well as others, began to identify and work with the community on correcting some implementation and configuration bugs with RFC 5011.
One missing piece, however, was a way to tell whether or not a population of DNSSEC validating resolvers had successfully updated their trust anchors. That’s why, in late 2015, I began writing an Internet Draft that proposed a way for validators to self-report their trust anchor set. This document, titled “Signaling Trust Anchor Knowledge in DNSSEC,” was adopted by the Internet Engineering Task Force’s (IETF) DNS-OPS working group, refined with some co-authors from Google and ICANN, as well as review from the working group, and published in April of this year as RFC 8145.
At the time that the RFC was published, I thought it was probably too late to have any impact on the 2017 KSK rollover, but would certainly be informative for any subsequent rollovers. However, I was pleased to learn that Internet Systems Consortium (ISC) implemented the draft specification of this protocol in their BIND software in mid-2016, and it was slowly being deployed as people updated their software. NLnet Labs also implemented RFC 8145 in their Unbound software in mid 2017, although the feature was not enabled by default.
The “key tag signals” from these validators are sent to the root name servers. Beginning in May, I began looking at the data sent to Verisign’s A-root and J-root in anticipation of the rollover. Figure 1, shows the number of sources sending signals over time. The red bars represent validators reporting only the old KSK. Green represents validators reporting an updated trust anchor set (i.e., both the old and the new KSK). The small amount of yellow areas on the plot represent sources that sent mixed signals.
As shown in the figure, the new KSK was first published in the root zone on July 11. Some signalers already indicated they had an updated trust anchor before then, however, more importantly, many of them had indicated they had not. These are validators that were either updated manually, or perhaps through a software update. There is a dramatic drop in “Not-Updated” signals beginning on Aug. 10, which corresponds to the end of the RFC 5011 “Hold Down Timer,” or 30 days after publication of the new key. This is good evidence that RFC 5011 worked for many validators.
What’s troubling, however, is the lingering amount of “Not-Updated” signals throughout the remainder of August and September. These validators appear to still have only the old KSK and are not accepting the new KSK into their trust anchor set. These represent six to eight percent of the population providing data, a figure we first shared with ICANN in late August. If the rollover was not postponed, these validators using only the old KSK would fail to resolve any domain names on Oct. 11, until their configurations were corrected.
Fortunately, the KSK Rollover Operational Implementation Plan easily accommodates the necessity to back out or postpone the progress of the rollover. The ability to do so was designed from the start and there is no urgent need to change the key from a cryptographic or security operations point of view. Rather than a zone whose key set is signed by the new KSK on Oct. 11, as ICANN has conveyed, we plan to continue publishing the root zone in its current DNSSEC configuration for the next calendar quarter. ICANN DNS expert and VP of Research, Matt Larson, penned a message to the DNS operations community, available here, which provides more information of the KSK Rollover Project from their perspective.
We were pleased with ICANN’s decision to postpone the KSK rollover in light of this data, which provides a known lower-bound of potential breakage that may occur as a result of the planned KSK rollover. We remain committed to working with ICANN and the community to prepare for these important changes, to help better understand why some validators have not updated their trust anchors, and assist in further community and relying party outreach efforts, all towards helping to minimize negative impacts when the KSK rollover occurs.
If you haven’t already done so, we strongly encourage you to take a moment to verify the DNSSEC configuration of your own validating name server. ICANN provides instructions for checking common name server products at https://www.icann.org/dns-resolvers-checking-current-trust-anchors. To remain informed about the rollover schedule, visit https://www.icann.org/resources/pages/ksk-rollover.
