www.dc.org
Open in
urlscan Pro
2001:470:8165:1::12e1
Public Scan
URL:
https://www.dc.org/
Submission: On July 18 via api from US — Scanned from DE
Submission: On July 18 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Menu Home About Contact About Department C Incorporated (DCI) is an engineering research and development company with over 4 decades of engineering, business, and policy experience in the networking and Internet arena. It develops innovative networking products, solutions, and intellectual property. Expertise includes WiFi, embedded systems, IoT, NFC Tags, PKI, secure email, HSM design, protocols: LDAP, TCP/IP, DNS, IPX, Q.921/931, H.323, X.509, DECNET, X.25, UUCP, MEP2, BiSync, SNA/SDLC. DNSSEC, NAT iy3xk ftc9ky lscsucks * * * * * * * Accelerated Test Root for Root KSK Rollover * . Copyright © 2021-2023 Department C Incorporated (Formerly ZX Communications Inc) TODAY'S SPOTLIGHT: DNSSEC - The Key to Zero Trust Architectures (ZTNA) DNSSEC - THE KEY TO ZERO TRUST ARCHITECTURES (ZTNA)(..AND IOT SECURITY) 1 Oct 2021 "Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets..." (From NIST SP 800-207 [1]). Zero trust architecture (ZTA) requires authentication and authorization for all such assets (also from [1]). The one common infrastructure that all these devices and assets connect to is the DNS. This makes DNS secured with DNSSEC the perfect source for the enterprise owned and controlled key material used to authenticate and authorize all cloud-based assets and BYODs or be the basis for them. Existing DNSSEC examples include secure email (server and end-to-end), remote access (e.g., SSH), in addition to protecting application data communicated via the DNS (e.g., MX, SPF, DKIM, DMARC, outlook server configs, asset identification, ownership proof, web sites). DNSSEC is mature and globally well established and ensures no one can modify data secured by it, not even a compromised cloud-based asset. DNS security is key in zero trust architecture 4 OCT 2021 EXAMPLE: LESSONS LEARNED FROM THE 4 OCT 2021 FACEBOOK BGP/DNS CATASTROPHE * All of facebook.com's nameservers are behind the same ASN AS32934 (see below). This is contrary to old, well established best practices for hosting a domain name which say nameservers should be distributed across disparate networks in addition to the ones you control. (The contact email should also not rely on the network and/or domain name it is supporting. So "domain@fb.com" as shown in the whois record is also a bad choice. How can I contact you to tell you your net is down?) * What could possibly be the reason for an organization as large and profitable as this to not follow best practice? Security and lack of trust in other parties providing, in this case secondary DNS service, might be a valid reason. But having even one of their nameservers hosted elsewhere would have avoided the 7 hour worldwide catastrophe. * If facebook would have had DNSSEC, they could have had their DNS information widely distributed AND protected across multiple ASN's and operators. The application of DNSSEC here is a perfect example of Zero Trust Architecture and its principles. DNS and WHOIS records $ dig ns facebook.com ; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> ns facebook.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64638 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1480 ;; QUESTION SECTION: ;facebook.com. IN NS ;; ANSWER SECTION: facebook.com. 166114 IN NS a.ns.facebook.com. facebook.com. 166114 IN NS b.ns.facebook.com. facebook.com. 166114 IN NS c.ns.facebook.com. facebook.com. 166114 IN NS d.ns.facebook.com. ;; ADDITIONAL SECTION: a.ns.facebook.com. 166114 IN AAAA 2a03:2880:f0fc:c:face:b00c:0:35 a.ns.facebook.com. 166114 IN A 129.134.30.12 (AS32934) b.ns.facebook.com. 166114 IN AAAA 2a03:2880:f0fd:c:face:b00c:0:35 b.ns.facebook.com. 166114 IN A 129.134.31.12 c.ns.facebook.com. 166114 IN AAAA 2a03:2880:f1fc:c:face:b00c:0:35 c.ns.facebook.com. 166114 IN A 185.89.218.12 (AS32934) d.ns.facebook.com. 166114 IN AAAA 2a03:2880:f1fd:c:face:b00c:0:35 d.ns.facebook.com. 166114 IN A 185.89.219.12 $ whois facebook.com Updated Date: 2021-09-22T19:33:41Z Creation Date: 1997-03-29T05:00:00Z Registrar Registration Expiration Date: 2030-03-30T04:00:00Z Registrar: RegistrarSafe, LLC Registrar IANA ID: 3237 Registrar Abuse Contact Email: abusecomplaints@registrarsafe.com Registrar Abuse Contact Phone: +1.6503087004 Domain Status: clientDeleteProhibited https://www.icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://www.icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://www.icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://www.icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://www.icann.org/epp#serverUpdateProhibited Registry Registrant ID: Registrant Name: Domain Admin Registrant Organization: Facebook, Inc. Registrant Street: 1601 Willow Rd Registrant City: Menlo Park Registrant State/Province: CA Registrant Postal Code: 94025 Registrant Country: US Registrant Phone: +1.6505434800 Registrant Phone Ext: Registrant Fax: +1.6505434800 Registrant Fax Ext: Registrant Email: domain@fb.com Registry Admin ID: Admin Name: Domain Admin Admin Organization: Facebook, Inc. Admin Street: 1601 Willow Rd Admin City: Menlo Park Admin State/Province: CA Admin Postal Code: 94025 Admin Country: US Admin Phone: +1.6505434800 Admin Phone Ext: Admin Fax: +1.6505434800 Admin Fax Ext: Admin Email: domain@fb.com Registry Tech ID: Tech Name: Domain Admin Tech Organization: Facebook, Inc. Tech Street: 1601 Willow Rd Tech City: Menlo Park Tech State/Province: CA Tech Postal Code: 94025 Tech Country: US Tech Phone: +1.6505434800 Tech Phone Ext: Tech Fax: +1.6505434800 Tech Fax Ext: Tech Email: domain@fb.com Name Server: C.NS.FACEBOOK.COM Name Server: B.NS.FACEBOOK.COM Name Server: A.NS.FACEBOOK.COM Name Server: D.NS.FACEBOOK.COM DNSSEC: unsigned [1] NIST SP 800-207 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf -------------------------------------------------------------------------------- Copyright © 2021-2022 Department C Incorporated.