Rewarding Research: A Better Connected World, Name Collisions and Beyond
It’s a privilege for Verisign to welcome this week the recipients of our 2012 Internet Infrastructure Grant program, who will be presenting the results of research their teams have conducted over the past year and a half. The results will be the focus of our fourth and final Verisign Labs Distinguished Speaker Series event for the year.
The event will open with a keynote talk by Prof. Ellen Zegura of Georgia Tech (United States), who will give an overview of the field these two projects explore, “Intermittent and Low-Resource Networks: Theory and Practice.” It’s an honor to have Prof. Zegura with us to describe both the academic and hands-on work she’s conducted in this important area.
4 Reasons Your Small Business Needs an Online Presence
Guest Post from Ramon Ray – Smallbiztechnology
For any company doing business today, a website is far more than a way to promote products and services. With a consumer market that heavily relies on the internet for everything from directions to reviews, any small business that has not yet set up an online presence could be missing out on a gold mine of potential customers. In fact, Shop.org projects online holiday sales to increase between 13 and 15 percent to as much as $82 billion during the months of November and December this year, and the U.S. Commerce Department reported that final Q4 (October – December) e-commerce sales in 2012 increased 15.7 percent.
Pioneering Technologies for the Long Term
We recently hosted Dr. Ralph Merkle as a guest speaker for the Verisign Labs Distinguished Speaker Series. His talk, “Quantum Computers and Public-Key Cryptosystems,” was a great presentation on how molecular nanotechnology — the ability to economically manufacture most arrangements of atoms permitted by physical law — could fundamentally alter the world as we know it. Ralph’s and many others’ research on this topic has been groundbreaking and we are grateful he took the time to come and share his knowledge.
Part 4 of 4 – Conclusion: SLD Blocking Is Too Risky without TLD Rollback
ICANN’s second-level domain (SLD) blocking proposal includes a provision that a party may demonstrate that an SLD not in the initial sample set could cause “severe harm,” and that SLD can potentially be blocked for a certain period of time. The extent to which that provision would need to be exercised remains to be determined. However, given the concerns outlined in Part 2 and Part 3 of this series, it seems likely that there could be many additions (and deletions!) from the blocked list given the lack of correlation between the DITL data and actual at-risk queries.
vBSDcon: Builders and Archaeologists
Fascinating tour of C compiler evolution by David Chisnall http://vrsn.cc/1dUb5rY @Verisign‘s #vBSDcon. Compatible with DOS or VAX?
— Burt Kaliski Jr. (@modulomathy) October 26, 2013
I began my journey into computer science as a high school freshman coding on a TI-59 calculator. Later in my high school years, I wrote computer chess games on a PDP-11/34 minicomputer in BASIC and, for speed, in assembly language. I might have contributed inadvertently to the Y2K problem with some FORTRAN and COBOL programs I wrote in the early 1980s. In college, I learned LISP and CLU on a MULTICS operating system, and had a part-time job where I programmed on a VAX-11/750. But eventually I did get around to coding in C on a Unix box.
So this is a little more information than 140 characters would allow, which may explain why I found David Chisnall’s opening talk at the recent vBSDcon so fascinating. DOS and VAX are to computer professionals what the classics are to the liberal arts: our Iliad and Odyssey. And C and Unix, in their various forms, are the living languages that preserve the connection to the early days – the contemporary variants of Koine Greek. The art of building C compilers as well as operating systems continues to advance skillfully.
Part 1 of 4 – Introduction: ICANN’s Alternative Path to Delegation
As widely discussed recently, observed within the ICANN community several years ago, and anticipated in the broader technical community even earlier, the introduction of a new generic top-level domain (gTLD) at the global DNS root could result in name collisions with previously installed systems. Such systems sometimes send queries to the global DNS with domain name suffixes that, under reasonable assumptions at the time the systems were designed, may not have been expected to be delegated as gTLDs. The introduction of a new gTLD may conflict with those assumptions, such that the newly delegated gTLD collides with a domain name suffix in use within an internal name space, or one that is appended to a domain name as a result of search-list processing.
Verisign to Issue New Domain Name Industry Brief Beginning in 2014
Today, Verisign announced that we are updating the Domain Name Industry Brief (DNIB) and a new version of the DNIB is expected to be released in the first quarter of 2014.
With the internet continuing to evolve in new ways, we have been evaluating how best to align the DNIB with that evolution so it better addresses the interests of our readers and expands the scope of the trends we’re tracking. We remain committed to continuing to provide informative content on the latest industry trends that are most relevant to our readers.
Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis
As discussed in the several studies on name collisions published to date, determining which queries are at risk, and thus how to mitigate the risk, requires qualitative analysis (New gTLD Security and Stability Considerations; New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis; Name Collisions in the DNS). Blocking a second level domain (SLD) simply on the basis that it was queried for in a past sample set runs a significant risk of false positives. SLDs that could have been delegated safely may be excluded on quantitative evidence alone, limiting the value of the new gTLD until the status of the SLD can be proven otherwise.
Similarly, not blocking an SLD on the basis that it was not queried for in a past sample set runs a comparable risk of false negatives.
A better way to deal with the risk is to treat not the symptoms but the underlying problem: that queries are being made by installed systems (or internal certificates are being employed by them) under the assumption that certain gTLDs won’t be delegated.
How Financial Institutions Can Up Their Game Against DDoS Attacks
With the ease of access to the internet and prevalence of social media today, unsuspecting computer users are making it easier than ever for malicious actors to target them with malcode. This trend has helped provide the perfect environment for Distributed Denial of Service (DDoS) attacks to grow in size, complexity and range of targets. Today’s attacks are not limited to web infrastructure; attackers are increasingly targeting the Domain Name System (DNS) infrastructure as well. This trend has been particularly noticeable in the financial industry, which has been hit hard over the last year.
Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose
For several years, DNS-OARC has been collecting DNS query data “from busy and interesting DNS name servers” as part of an annual “Day-in-the-Life” (DITL) effort (an effort originated by CAIDA in 2002) that I discussed in the first blog post in this series. DNS-OARC currently offers eight such data sets, covering the queries to many but not all of the 13 DNS root servers (and some non-root data) over a two-day period or longer each year from 2006 to present. With tens of billions of queries, the data sets provide researchers with a broad base of information about how the world is interacting with the global DNS as seen from the perspective of root and other name server operators.
In order for second-level domain (SLD) blocking to mitigate the risk of name collisions for a given gTLD, it must be the case that the SLDs associated with at-risk queries occur with sufficient frequency and geographical distribution to be captured in the DITL data sets with high probability. Because it is a purely quantitative countermeasure, based only on the occurrence of a query, not the context around it, SLD blocking does not offer a model for distinguishing at-risk queries from queries that are not at risk. Consequently, SLD blocking must make a stronger assumption to be effective: that any queries involving a given SLD occur with sufficient frequency and geographical distribution to be captured with high probability.
Put another way, the DITL data set – limited in time to an annual two-day period and in space to the name servers that participate in the DITL study – offers only a sample of the queries from installed systems, not statistically significant evidence of their behavior and of which at-risk queries are actually occurring.