CATEGORY: Security

Full IPv6 Support here at Name.com

There are a lot of doomsday predictions out there about IPv4 address running out soon (there is even a countdown page/iphone app etc.). Whether they are true or not (there are ways to delay the inevitable using NAT etc.) we at Name.com know IPv6 is the future. We always strive to be on the cutting edge of the domain registration world so we are announcing full IPv6 support across both our domain registration platform and our DNS platform. What does that mean? It means if you want to support IPv6 on your network, and you are a customer of ours, we have you all covered. 🙂 You can submit IPv6 glue records to the registries, and if you host your domain on our DNS platform, we can support networks that use IPv6 for querying DNS. What does it mean for the geeks in the house? Well read below to get some more in depth details.

What is IPv6

Here is the Wikipedia page about IPv6. Basically it’s the next generation IP addressing technology that provides a MUCH larger address space (2e128 to be exact). Unfortunately, a host/network has to specifically support IPv6 to receive traffic and so some key systems (like the DNS) have to specifically support IPv6 for two IPv6-enabled networks to support it. The nice thing is IPv4 and IPv6 traffic can ride over the same network, so no need to rip out the existing Intertubes, hardware just needs to support it (most newer computers, wirelress routers etc. already do). The are three ways a network can support IPv6 so that two hosts can communicate:

1. Not at all/IPv4 only The network can only send traffic over IPv4
2. Split IPv4/IPv6 If a source host wants to send traffic to a destination host, and both hosts support IPv6, the traffic is sent over IPv6. If only one or none of the two hosts support IPv6, the traffic must be sent over IPv4
3. IPv6 only (VERY RARE) The two hosts only support IPv6

Domain Registration/Glue Record Support

To support #2 above, the DNS has a special record type called a quad-A record (AAAA). It provides the IPv6 address of a hostname (similar to how an “A” record gives the IPv4 record for a hostname). An example:
Here is the IPv4 address for ns1.name.com

$ dig ns1.name.com a
ns1.name.com. 172800 IN A 173.192.28.4

Here is the IPv6 address for ns1.name.com

$ dig ns1.name.com aaaa
ns1.name.com. 172800 IN AAAA 2607:f0d0:1002:95::2

You can see the same hostname has two different IP addresses. What generally happens is a host that is enabled for IPv6 and IPv4 that wants to communicate with another host will first look up it’s AAAA record to see if the destination host also supports IPv6. If there is no answer for the AAAA record (meaning the destination host doesn’t want to or can’t speak IPv6) the sending host then looks up the A record and sends the traffic over normal IPv4. Name.com now allows a domain registered on our platform to submit IPv6 glue records to the various registries. This means if a customer hosts their own DNS, and their DNS servers support IPv6, they can submit those glue record entries to the registry.

DNS Platform

If a customer hosts their DNS on our platform, previously they could not support a recursive DNS server asking for the DNS information for their domain over IPv6 (remember recursive DNS servers ask the questions, authoritative DNS servers answer those questions – read more here at Wikipedia about DNS). We now fully support IPv6 transport to both ns1 and ns3.name.com, so if an end user of one our customer domains is on IPv6 only, or IPv4/IPv6 combo networks, that network can get the customer’s DNS information over IPv6.

Are that many people using IPv6?

Not a ton – BUT usage is growing steadily, and like other things (DNSSEC for example – a post will be coming shortly about this) – eventually a critical mass will be reached and a registrar MUST support it at that time. We just want to be ahead of the curve. 🙂

Why did we do this?

Because we want to be the coolest and most innovative registrar on the planet. Cheers!

Name.com Launches New Level of Account Security

Domain Name Hijacking has been an issue for almost as long as domain names have been around. In 1995 sex.com was stolen from it’s registrant in a very high profile case. It was still happening in 2001. In 2003. 2008 was a rough year from Godaddy – they were hit hard twice, in February and again in November and December.

The December incident, arguably one of the most troubling domain thefts in history made us realize how lacking domain registrars have been in dealing with account security.

But a domain name doesn’t have to be stolen to be problematic. USA Today addressed cyber criminal attacks being on the rise today and highlights the recent CheckFree.com fiasco:

In another recent attack, someone acquired the user name and password for a system administrator at CheckFree.com, the nation’s largest e-bill payment system. Using those log-in credentials, an intruder gained access to CheckFree’s domain name service account ’97 an account that permits the administrator to redirect traffic trying to access CheckFree’s home page to other legitimate company pages.

For several hours, the intruder redirected anyone typing www.mycheckfree.com to a Web server in the Ukraine that tried to install a password-stealing Trojan. Although as many as 160,000 customers may have been affected, none had any of his or her data stolen, says Lori Stafford-Thomas, a spokeswoman for Fiserv, the parent company of CheckFree. “CheckFree sites are all up and running properly and securely,” she says.

But the attempt was a sign of things to come, says Amit Klein, CTO of security firm Trusteer.

“The moral of this attack is that it’s so easy to take over your (website),” Klein says. “I just need to get ahold of your user name and password once. And we all know how easy it is to get your credentials.”

Name.com has long offered some of the industries best tools to keep entire accounts safe with login tracking/emails, history and IP restrictions. We’ve demonstrated once again why registrants trust us with their valuable digital assets by partnering with Verisign to offer their VIP (Verisign Identity Protection) service branded under NameSafe.

The NameSafe service offers a two factor authentication – combining something you know (your username and password) with something only you have access to (your one time randomly generate password) to create a more secure registrar experience. Currently both keyfob and credit card form factors are available for a nominal fee, and soon mobile phone options will be available for even greater convenience.