KAMINSKYBUG.SE presented by .se and dnssec.se
ENGLISH / SVENSKA
iis.sednssec.se

We can help you tame Kaminsky

Solving the problem of the Kaminsky bug takes a number of steps. The most urgent and fundamental measure is to upgrade the software of the name server that carries out DNS lookups. But in order to solve the problem completely and in the long term, DNSSEC must be used both by the name server that sends out DNS queries and the name servers on the Internet that answer these queries.

Upgrade your software

If you have tested your computer here and the result indicates that it is not Kaminsky safe, you should make sure that the name server software utility used for DNS queries (the so-called recursive resolver) is upgraded to a secure version. Consult your system manager who in turn can contact the operating system or software supplier to get hold of upgrades.

The following links lead to more information concerning the upgrades for some of the most common software utilities:

BIND
Cisco
Microsoft

Use DNSSEC in your name server

Although upgrading will mitigate the immediate threat to your computer, the only way to avoid Kaminsky attacks in the long run is to use DNSSEC. If your name server uses DNSSEC, your computer can verify that the answers to DNS queries really come from the correct source through digital signatures. At iis.se there are more detailed instructions on how to get your recursive resolver to start using DNSSEC for the .se zone.

Use DNSSEC signatures for your domain

If DNSSEC is going to successfully secure the Internet in the long term against the threat to the domain name system that the Kaminsky bug entails, domain owners must also use DNSSEC signatures for their domains. This is especially important when it comes to domains with large numbers of visitors handling sensitive information.

If you have tested your .se domain on this website and the result showed that it is not Kaminsky safe, we strongly recommend that you start using DNSSEC signatures for it. You then have to turn to one of .SE’s registrars that offer this supplementary service. You will find an up-to-date list of these registrars at iis.se.

image