Today, we at Rackspace launched an ambitious project called OpenStack that aims to make this new world a reality.

I want to lay out the thinking that got us here and why we think this moment will change computing forever.

“The cloud” at its most fundamental level is all about a massive supply increase in computing power. The PC era was all about putting a computer on every desk. The cloud era goes a step further, putting the power of supercomputing at the literal fingertips of every individual at anytime. Whether it’s enabling a youth soccer coach to schedule practice across the online calendars of 18 families, or helping a scientist fold proteins to design new cancer drugs, or encouraging a frontline employee to instantly and cheaply test a new marketing campaign, the exponential growth in computing power and applications is changing every corner of our economy and society. And, this era is truly just beginning. We have seen only a tiny fraction of the potential gains that arise from cheap, ubiquitous computing power.

As this landscape has evolved, some have dismissed cloud computing as just a return to the mainframe era. This view is fundamentally wrong. Mainframes were available to only the smartest employees at the richest companies. The cloud is accessible to all, and usable by anyone, at low cost. Its ubiquity is the source of its power.

However, there is one area where mainframe concepts are intruding into the cloud – the vertically integrated technology stack. As hardware and software merge into services, the danger of locked down proprietary software stacks are emerging in the cloud space. The cloud world changes everything, and that is not good to many entrenched interests of the old guard. Core technologies from operating systems to hypervisors to databases are being used to tie cloud customers into an integrated view of the world.

If the web has taught us anything, it is that open systems, portability, and choice drive innovation. The open Linux system brought us a mountain of software and tools to help accomplish almost any task. And, each component, whether a database or a widget could be moved in and out freely based on the job getting done.

We at Rackspace have long talked about an “open” cloud. And as a service provider built on our Fanatical Support difference, we have never had an interest in creating technical walls around our service. But, given that no standards tools have emerged to build massively scalable clouds, we too have had to build custom software that creates some level of wall around our cloud offerings. For months we have debated how to drive greater standards and increase the velocity of cloud technologies in general. We finally converged on the obvious answer: open source our cloud technology.

Today, we announced a new open source project that includes those core technologies: OpenStack. And, we are not alone. As we looked at all the projects that already existed to drive standards we saw that other efforts were underway that complemented what we have done. We saw a ton of promise in the Nebula computing project built by NASA and are making it a core part of the project. Taking the contributions of Rackspace and NASA as a starting point, OpenStack forms a powerful foundation of technologies including, a scalable compute provisioning engine – OpenStack Compute – and a fully distributed storage engine – OpenStack Object Storage.

The community, which we plan to actively support and drive, is live today at openstack.org with code available for download.

Last week we assembled a strong group of cloud community leaders and developers to meet and review the architecture, engage on technology direction and contribute code. The effort attracted more than 100 participants from 25 companies including hosting companies, telecom providers, hardware manufacturers, cloud ecosystem companies and beyond. This enthusiasm and collaboration around OpenStack has laid the foundation for a vibrant and innovative approach to building the core software to power the future cloud world.

What do we expect OpenStack to mean for the cloud community? Some pretty major things. One, anyone will be able to run this cloud and do it anywhere. Enterprises and governments will be able to build private clouds. Service providers will have the same technology used by Rackspace and NASA to build new offers. Choice and portability are inevitable in this world. Two, the whole tech ecosystem can build around this foundation. With wide adoption, there will be a market for new services all around this core engine. From storage systems to monitoring tools to management systems, there is no end to what can be attached to the core project. Three, the cloud will advance faster than ever. Between just NASA and Rackspace, an army of developers are committed to the continued advancement of OpenStack. With our emerging supporters in the project, we expect to dramatically expand that army. Finally, a core set of standards will be freely available and totally open. New technologies can be attached. Better solutions will be driven into the product. And, the use of this powerful technology will not tie you to the use of any other technologies.

For our customers, we think there are many benefits that flow from these community gains. Not only will this help our offers develop faster and more transparently, but our customers can run private editions of our core systems in house or in our managed hosting operation.

We could not be more excited about the launch of this project and the enthusiasm around it. As a company that has invested a great deal in the development of cloud technologies, we did not take the decision to open source lightly. We think this decision will serve our interests and those of our customers. While we at Rackspace hire top developers and engineers to make sure our technology is second to none, seeking a technology advantage has never been our approach. We have our own vision about how to deploy this technology and serve customers – by giving them seamless access to scalable computing with the trusting partnership that comes through Fanatical Support. But, there will be many approaches and winning formulas. We think by welcoming those approaches and driving standards and more rapid innovation we will all win.

We hope you join us in this cause. We know there are many parties who might want to join us in the effort, please reach out to us.

We look forward to updating you as we make progress.

Source

This key ceremony is one of the final steps in the deployment of DNS Security Extensions (DNSSEC) on the Internet’s root zone. DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

“The key ceremony will generate the master root key, the key that signs all the other keys,” explains Ken Silva, CTO of VeriSign, which operates two of the Internet’s 13 root servers along with the back-end systems that power the .com and .net top-level domains. “This is being done a month before the actual roll-out of DNSSEC so that we have a valid key and that we can test with it.”

DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is widely deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

Today’s key ceremony is being hosted by the Internet Corporation for Assigned Names and Numbers (ICANN) in a secure data center in Culpeper, Va., outside of Washington, D.C. A similar key ceremony will take place in Los Angeles in early July.

The key ceremony will demonstrate the set of procedures that the Internet engineering community has created to generate and store keys for the root zone in a secure way. Attendees will include ICANN staff and DNS experts from around the world. The key generation and storage process will be audited.

“People from all over the world will be part of the process of creating the key for the top level of the DNS,” explains Steve Crocker, an Internet security expert and CEO of Shinkuro. “They will witness and be able to report that the proper procedure was carried fairly and scrupulously.”

The two key ceremonies are among the last steps before production-scale deployment of DNSSEC on the root zone, which is scheduled for July 15.

Between now and July 15, the root server operators will conduct additional testing of DNSSEC.

“We’re testing as many possible corner cases that we can imagine,” Silva says. “We’re trying to test every permutation of key sizes, key roll-over, key expiration and all those kinds of issues. We’re testing to see how the system responds and whether our monitors and detection can catch those sorts of things.”

Silva says the testing is going well, thanks to new monitoring capabilities that were added to the root servers.

“We’ve very pleased with the additional monitors that we put in the root infrastructure,” Silva says. “There are a lot more parts in the root zone now. We have keys in there. We have trust anchors in there. There’s a lot of new material in the root zone, and the traditional monitors were making sure that names were consistent and the syntax was right. Now we have additional information, so we’ve expanded the monitors to look for expired keys, invalid keys, keys that have not been properly signed and all of those kinds of things.”

Kaminsky bug drives DNSSEC
DNSSEC has gained a groundswell of support since the Kaminsky bug was discovered in 2008.

A handful of countries — including Sweden, the Czech Republic, Puerto Rico, Bulgaria and Brazil — already support DNSSEC on their country-code domains as does the .org domain for non-profit organizations.

The U.S. federal government is in the midst of deploying DNSSEC on the .gov domain. Next up are .edu, which will be cryptographically signed in July, followed by .net in November and .com in March 2011, VeriSign said. Once the root zone is signed, top-level domains that support DNSSEC can offer end-to-end security to their Web site operators.

“We expect a flurry of activity as people in Sweden, Brazil and other countries deploy DNSSEC,” Silva says. He adds that as much as 50% of DNS queries can support the DNSSEC standard due to default settings on popular DNS software.
So far, Internet security experts have seen no technical roadblocks to the deployment of DNSSEC from the root servers on down.

“It’s been pretty smooth,” Crocker says of the DNSSEC roll-out on the root servers. “I haven’t heard of any issues” that would delay deployment of DNSSEC on .com or .net.

Source

Dozens of Cloud Camps have been held all over the world since the first in Indianapolis, Ind. 18 months ago. They’re billed as an “unconference” where most of the content comes from the participants themselves.

Wednesday night’s event began with “lightning round” five-minute presentations from several cloud computing experts. Kicking off the festivities was Bob McDonough, cloud computing lead architect from the Michigan Department of Technology, Management and Budget.

McDonough said the state excels at offering high-performance, highly available services — but also at a high cost. It’s looking at cloud computing for other applications where there’s a “good enough” service option, and to eliminate rogue cloudsourcing.

Why cloud computing? Simple, McDonough said — “Humans cost money.” Also, he said, it improves the state IT workplace to remove routine scut work from employees and give it to machines, reserving for humans work that is challenging and satisfying. Cloud applications are also fast and easy to deliver.

David Giard of Sogeti gave a brief overview of Microsoft’s Azure cloud application delivery system.

He said cloud computing makes sense financially, because you only pay for what you use, and from a flexibility standpoint, because applications can be rapidly scaled up in giant data centers if there’s a surge in demand — and dialed down just as quickly.

Cheng-Zhong Xu of Wayne State University’s cloud and Internet computing lab gave a presentation on the rising complexity of managing cloud computing, but said virtualization and the ever increasing power of data centers will help.

John Willis of Opscale spoke on the idea of treating an operations infrastructure as if it was code, while Kevin Dangoor of Mozilla Labs presented on Bespin, a Web site that’s a code development environment — essentially you can write your applications anywhere you can get Internet access, easing collaboration. Check it out at http://bespin.mozillalabs.com.

Finally, Compuware demonstrated a very cool application called Cloud Sleuth that measures Web speeds, a key ingredient in the success of Web-offered cloud applications. Research shows any response lag of any online application of more than four seconds frustrates users and costs its owner revenue.

You can put your own cloud applications to the test at http://www.cloudsleuth.net.

The event then continued with an “unpanel.” Leaders asked the crowd who considered themselves a cloud expert — four people raised their hands and were immediately dragooned into serving on the panel. Then the crowd was solicited for 10 questions for the unpanel.

The event was to conclude with breakout sessions on topics created by the crowd at the time, followed by networking.

More at http://www.cloudcamp.org/.

Source

Someone had grabbed Lamo’s backpack containing the prescription anti-depressants he’d been on since 2004, the year he pleaded guilty to hacking The New York Times. He wanted his medication back. But when the police arrived at the Safeway parking lot it was Lamo, not the missing backpack, that interested them. Something about his halting, monotone speech, perhaps slowed by his medication, got the officers’ attention.

An ambulance arrived. “After a few moments of conversation, they just kind of exchanged a look and told me to get on the stretcher,” says Lamo.

Thus began Lamo’s journey through California’s mental health system — and self discovery. He was transported to a local emergency room and put under guard, and then transferred to the Woodland Memorial Hospital near Sacramento, where he was placed on a 72-hour involuntary psychiatric hold under a state law allowing the temporary forced hospitalization of those judged dangerous or unable to care for themselves. As the staff evaluated him and adjusted his medication, a judicial officer extended his stay, and three days became nine.

When Lamo was finally discharged to his parents’ house on May 7, he left the hospital with a new diagnosis. At 29 years old Lamo learned he has Asperger’s Disorder.

Source

FBI CIO Chad Fulgham last week outlined the agency’s IT strategy and progress in an interview with InformationWeek at the agency’s Washington, D.C., headquarters. It was the first time that Fulgham has given an overview of the agency’s IT initiatives since he joined the FBI in December 2008, after working as an IT executive in the private sector for Lehman Bros., IBM, and JPMorgan Chase.

As a first step, Fulgham last year reorganized the FBI’s Information and Technology Branch to make it more “business aligned and services oriented.” The IT Branch is comprised of a Management Division of program and project managers that work closely with the agency’s other departments, an Engineering Division that operates the FBI’s various networks, and an IT Services Division that manages everything from 26,000 BlackBerrys to the agency’s data centers.

Last August, the FBI hired a chief marketing officer, Stephanie Derrig, charged with bringing a more common look and feel to its various enterprise applications and facilitating uptake of those apps by agency employees. The IT Branch has created an internal portal, based on Microsoft’s SharePoint, with a page for every new product and service it offers.

The FBI has replaced its ATM/Frame Relay network with a new Cisco-based IP infrastructure that utilizes Multiprotocol Label Switching for higher performance. The new net, dubbed Next Generation Network, serves as a backbone for three FBI networks — the unclassified UNet, classified FBINet, and top secret SCION network — and extends to some 800 FBI locations. The network provides 45 times as much backbone capacity as the one it replaced, as well as doubling access speed at network endpoints.

The network replacement was a necessary precursor to the introduction of upgraded PCs that bring a range of new tools and capabilities to FBI special agents and other employees. The configuration of the FBI’s so-called Next Generation Workstation comprises Office 2007 and Windows XP running on a Dell PC with dual-core processor. As a cost saving measure, the FBI upgraded existing PCs with new hardware where possible.

The Next Generation Workstation brings instant messaging, file transfer, voice over IP, desktop video teleconferencing, presence technology, and Web collaboration to employees who, until now, have gotten by primarily with e-mail, phone service, and standard desktop productivity apps. The new workstations include 24-inch flat screen monitors, video cams, speakers, and headsets. Avocent KVM switches support toggling between classified and unclassified networks.

Fulgham described Next Generation Network and Next Generation Workstation as generational leaps in technology for the agency. The desktop environment is being rolled out initially to the agency’s 56 field offices, in what Fulgham said is a philosophical shift toward putting new tech tools first into the hands of employees in the field. The workstation rollout to field offices began last December and is scheduled for completion in July.

In other advances, the FBI is deploying a new identity management system based on Oracle’s Identity Manager; it’s replacing a bevy of management tools with systems management software from Hewlett-Packard and BigFix; and it’s introducing Cisco NAC (Network Admission Control) in lieu of internally developed network security. Fulgham said he prefers to use commercial software where possible for its built-in integration capabilities and ease of deployment. The FBI will use SharePoint 2010 to create a social networking environment on FBINet.

Fulgham also gave a status report on Sentinel, a $425 million project to replace the agency’s outdated case-management system with a new digital system that incorporates technologies from Adobe, EMC, IBM, Microsoft, and Oracle. In March, the Inspector General for the Department of Justice released a report warning that Sentinel, originally due for completion in 2009 and already behind schedule, was at risk of further delays and cost overruns.

Lockheed Martin is the primary contractor on Sentinel. In response to the Inspector General report, the FBI said it had advised Lockheed Martin to partially stop work on the project and that a new schedule for completing the four-phase project would be forthcoming. FBI director Robert Mueller, in testimony to a Congressional subcommittee last month, characterized the delays to Sentinel as minor and said he was “cautiously optimistic” that Phase 2 would be completed this summer. Mueller said he now expects Sentinel to be completed in 2011.

The FBI has yet to issue a revised time line for Sentinel’s next two phases, but Fulgham said the agency’s Critical Incident Response Group has begun pilot testing Sentinel’s current capabilities. Those capabilities automate about a third of the paperwork and processes associated with the FBI’s current case-management system, Fulgham said. Over the next two weeks, Sentinel pilot testing will be extended to the FBI’s branch office in Richmond, Va., followed by its Tampa office.

Source

Predictions name 9 September 2011 as the date on which the last of those tranches is released for net firms and others to use.

Everything connected to the net needs an “IP address” to ensure data reaches the right person or device.

Experts say that the net’s entire existing address space will be exhausted about a year after that date.

A newer scheme is being rolled out but many firms and countries are being slow to switch, experts warn.

Small pool
The net is built around version four of the Internet Protocol addressing scheme (IPv4) which has space for about four billion addresses. Its successor – IPv6 – has trillions available.

The continued growth of the net is tied to this pool of addresses.

While four billion was enough in the 1970s when the net was being set up, the growth of the world wide web is rapidly depleting this store.

The growth of the web has meant that only about 7% of these addresses, roughly 300 million, are left to allocate. This entire pool is expected to be depleted in April 2012.

In early May, the Internet Assigned Numbers Authority (IANA), which oversees the net address space, handed over two of the big chunks of remaining addresses.

The removal of these 17 million addresses from the global pool meant that the date on which there will be no more big chunks left jumped forward.

“This whole business of forecasting depletion involves a little bit of reading the tea leaves,” said Axel Pawlik, managing director of Ripe NCC, which hands out IP addresses in Europe.

“Ten years ago we said it would happen far in the future,” said Mr Pawlick. “Now we are all running around with iPhones, we’re in that future.”

While the cut off date is 18 months away, some fear it will shrink as the pace at which addresses get used speeds up. Throughout the whole of 2009, IANA handed out eight of the big blocks of IPv4 addresses. In the first 100 days of 2010, it has handed out six.

Early planning
Trefor Davies, chief technology officer at business ISP Timico, said rationing of the remaining IPv4 addresses was already under way.

“You cannot just ask for more IP addresses,” he said. “You have to prove you need them.”

“The registries will not let you have more until your reserves reach a certain threshold,” he said.

While IPv4 and IPv6 can live alongside each other, anecdotal evidence suggests it is not a trouble-free union, said Mr Davies.

The process of translating one address into the format of another introduces a significant delay.

Unless more ISPs and others start to adopt IPv6 those delays could start to hit general web browsing, fears Mr Davies.

“It adds quite a lot of latency onto people accessing your network because it has to go through network address translation,” he said.

Mr Pawlick from Ripe said it had seen significant growth in requests for IPv6 addresses over the last few months.

“What we are not seeing yet is those IPv6 addresses being used on the internet,” he said.

IPv6 tracking services suggest that less than 1% of the net’s top one million websites run IPv6. Another statistic suggests that only 6% of the networks that form the net use IPv6. China is one of the biggest users of the new addressing scheme.

Companies are being urged to get working with IPv6 now, to forestall any problems caused by the shortfall.

“The key thing to focus on is the opportunities IPv6 brings your business before IPv4 runs out,” said Simon McCalla, director of IT at Nominet, which oversees the .uk domain.

Source

Scott Charney, vice president of Microsoft’s Trustworthy Computing Group, spoke at the Worldwide Cybersecurity Summit in Dallas last week and said there needs to be a distinction between cybercriminals merely stealing money and cyberwar, possibly conducted by nation-states, that is aimed at crippling a target in another country, such as a power grid or an oil pipeline.

An Associated Press report on the conference, which was picked up by the Seattle Post-Intelligencer newspaper, quotes Charney as saying that international treaties designed to fight cyberwar are difficult to establish because of the murky nature of what “cyberwar” is.

The United Nations last month rejected a Russian proposal for a new cybercrime treaty, leaving in place a 2001 treaty that Russia opposes because it gives foreign governments too much leeway to pursue cybercriminals across borders.

“Lots of times, there’s confusion in these treaty negotiations because of lack of clarity about which problems they’re trying to solve,” Charney said.

In a paper that accompanied his talk, Charney also wrote that if the concern is that countries need to brace for a cybersecurity “Pearl Harbor,” that it needs to be made clear on what type of attacks governments can respond. “If the concern is an electronic Pearl Harbor, perhaps part of the response is an electronic `Geneva Convention’ that protects the rights of noncombatants.”

The notion of an electronic Pearl Harbor has come up before on this blog. I wrote about it after attending the RSA Conference 2010 in San Francisco in March. There a panel of cybersecurity experts warned that a cyberattack could occur that could cripple U.S. infrastructure if we’re not prepared for it.

Richard Clarke, a national security advisor to the previous three U.S. presidents, also proposed a cyber security treaty, but lumped together criminal cyber attacks and state-sponsored attacks.

“You could have an international treaty that puts an obligation on every country to police its own cyberspace,” he said. It wouldn’t matter if a foreign government launched an attack or whether individual criminals did, he said; if it was traced to their country, they’d have to do something about it.

I think that’s where the murkiness problem comes in. Charney says the confusion occurs when we lump together criminal activity and government sanctioned — or at least condoned — cyberwar, including possible terrorism.

I think a government or military response to a cyber threat should be reserved for attacks on infrastructure (taking down an electrical grid by a computer is the same as bombing the transmission towers) and on attacks by nations against others and a treaty to establish the rules of engagement is warranted. But responses to criminal cyber attacks should be left to law enforcement agencies and, in fact, in those instances, cooperation agreements between law enforcement organizations in each country would be beneficial as well.

Source

There have been no reports of any problems in the immediate aftermath of VeriSign’s J root server starting to serve DNSSEC signatures. Experts at the 60th RIPE meeting in Prague were almost unanimous in predicting a glitch-free switchover, following the successful switchovers of the other 12 root servers in recent months. The only apocalyptic note was sounded by a countdown to the demise of the unsigned root zone.

Yesterday’s changeover does mean the .root zone is now dead. VeriSign, which operated the master server for the root zone, has for several years used a single entry under .root, that served the purpose of checking that the bulky root zone had been transferred. According to Jaap Akkerhuis, a DNS expert at nl.netLabs, the creation of the .root entry was prompted by a complete outage of the .com zone following a data transfer error. Rigid DNSSEC procedures render this trick for root servers operated by VeriSign and the Internet Corporation for Assigned Names and Numbers (ICANN) obsolete.

There will also be a key ceremony in June, involving 21 volunteer ‘crypto officers’ and ‘recovery key share holders’. The 14 crypto officers must travel to the ceremony in two groups in order to authorise the generation of new zone signing keys for VeriSign operation using the ICANN master key. ICANN employee Rick Lamb reports that there were 61 applications for these posts, which, in addition to being voluntary, entail significant expense. Key holders must pay their own travel costs and are not compensated for lost working time. Tight budgets at ICANN may be one reason it has chosen to offload these costs.

As a result, only four candidates were forthcoming from Africa and only five from Latin America. Asia managed to put up 10 candidates, European and US businesses and organisations 20 each. Lamb adds that ICANN is now considering whether there should be fewer US officers and more from other countries to make up for the fact that all keys will be generated exclusively at two sites in the US. In the opinion of many RIPE experts, a non-US location is essential.

Daniel Karrenberg, Chief Scientist at RIPE 60 in Prague, asked Lamb if the US administration was blocking changes to the list of candidates, to which Lamb replied, “Block is a strong word.” According to Lamb, a third location is currently under discussion. For example, Sweden, which has signed its .se zone for many years and operates one of the 13 root servers, would be a logical source of potential candidates. “Imagine what would happen if US airspace was shut down by something like the recent incident in Iceland or a terror alert,” said Jim Reid, head of the DNS working group at RIPE. Without the correctly signed key material delivered on schedule, things could get pretty gloomy in the DNS.

Source

That was essentially the question Unisys asked 120 enterprise users in an online poll in an effort to determine what they thought about the risks of moving their various applications to the cloud.

A total of 46% of the respondents said they would start moving applications to the cloud with development/test and support workloads. Another 22% cited disaster recovery — an important app but one that’s not considered mission critical — and said they would start the shift to cloud computing with it. An additional 17% said they would move quality assurance and pre-production systems before shifting other apps to the cloud.

In sharp contrast, core production workloads like enterprise requirements planning were cited by just 15% of the respondents, who cited those mission critical apps as candidates for early shifting to the cloud.

“(The respondents) are skeptical that the cloud infrastructure used by commodity providers can stand up to the stringent service levels that enterprise workloads require,” said Colin Lacey, Unisys VP of solutions and services, in a statement. “Plus, they are often concerned about entrusting those applications to a third party without assurance that the data could be kept secure.”

Noting that the poll respondents valued cloud computing, Lacey said the poll results showed enterprise users are still reluctant to give up control of their complex applications and sensitive information. The enterprise users also believe that cost management and operational efficiency of their IT operations can be improved by cloud computing, Lacey added.

The poll was followed up with a pitch for Unisys Secure Cloud Solution, which the firm said safeguards operations and lowers IT costs for enterprise users moving applications to the cloud.

Source

While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected.

DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.

The standard is currently being rolled out cautiously to the internet’s DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won’t be able to find websites or send email.

Why? Here comes the science bit. Normal DNS traffic uses the UDP protocol, which is faster and less resource-hungry than TCP. Normal DNS UDP packets are also quite small, under 512 bytes.

Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it’s probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.

Keith Mitchell, head of engineering at root server operator Internet Systems Consortium, said his biggest fear is for large enterprises with sprawling networks.

“There are a lot of firewalls and other middleware boxes out there that make the assumption that there are only small UDP packets,” he said. “Several times a month we receive reports of problems like this.”

Sometimes these devices will failover to TCP, which drains bandwidth and hardware resources because it uses handshaking to set up connections.

Mitchell said he’s also concerned about ISPs that rewrite DNS answers as they pass across their networks. Some ISPs do this to redirect their customers to cash-making search pages when they’re trying to find a non-existent website. In China, ISPs use the same method to censor websites.

“They’re doing a lot of fiddling along the way and it’s by no means clear to me that the fiddling is aware of DNSSEC,” he said.

The solution to the problem is Extension Mechanisms for DNS, EDNS0, a decade-old IETF standard that is not yet universally implemented. Mitchell said ISPs and enterprises need to ensure that their gear can handle EDNS0 to avoid problems with the transition.

You can test whether your current DNS resolver is capable of handling DNSSEC, by following the instructions at DNS-OARC or running a Java app that can be downloaded from RIPE.

Home users using residential hubs should not panic if these tests return scary results. According to Mitchell, it currently only matters that the ISP supports DNSSEC. A dodgy Netgear box is not enough to kill your internet… cross fingers.

Source